Heap buffer overflow in OP_GETUPVAR #3668

clayton-shopify · 2017-05-26T15:06:18Z

The following input demonstrates a crash when supplied to mirb:

a = []
f = Fiber.new do
    x
end
[].call f.resume
g = Fiber.new do end
x = {}
r = RangeError.new x = []
a = Fiber.new do
    r.to_a
end
class Z < a
end
r.resume

ASAN report:

==70995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000088f0 at pc 0x000102bb32f8 bp 0x7fff5d44c850 sp 0x7fff5d44c000
READ of size 16 at 0x6060000088f0 thread T0
    #0 0x102bb32f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x102913228 in mrb_vm_exec vm.c:1073
    #2 0x10290da5f in mrb_vm_run vm.c:860
    #3 0x1027ab6f9 in main mirb.c:549
    #4 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

0x6060000088f0 is located 16 bytes to the left of 49-byte region [0x606000008900,0x606000008931)
allocated by thread T0 here:
    #0 0x102bbc520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1028a14df in mrb_default_allocf state.c:57
    #2 0x102822158 in mrb_realloc_simple gc.c:203
    #3 0x1028228ae in mrb_realloc gc.c:217
    #4 0x102823333 in mrb_malloc gc.c:238
    #5 0x1028a53cc in str_new string.c:73
    #6 0x1028a4ebf in mrb_str_new string.c:193
    #7 0x1027ca62e in packed_backtrace backtrace.c:177
    #8 0x1027ca0b5 in mrb_keep_backtrace backtrace.c:190
    #9 0x10280d535 in mrb_exc_set error.c:249
    #10 0x10280e397 in mrb_exc_raise error.c:260
    #11 0x102810dbd in raise_va error.c:345
    #12 0x102810984 in mrb_raisef error.c:354
    #13 0x1027d3ec2 in mrb_vm_define_class class.c:289
    #14 0x1029390c4 in mrb_vm_exec vm.c:2562
    #15 0x10290da5f in mrb_vm_run vm.c:860
    #16 0x1027ab6f9 in main mirb.c:549
    #17 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0c000010c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010f0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x1c0c00001100: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c0c00001110: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa[fa]fa
  0x1c0c00001120: 00 00 00 00 00 00 01 fa fa fa fa fa 00 00 00 00
  0x1c0c00001130: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0c00001140: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x1c0c00001150: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x1c0c00001160: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==70995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

The text was updated successfully, but these errors were encountered:

…ruby#4104

matz added a commit that referenced this issue May 27, 2017

Avoid unsharing env when context (mrb->c) differs; ref #3668

57ffa1c

matz closed this as completed in 34dd258 May 27, 2017

matz added a commit that referenced this issue Nov 19, 2018

The current context may be changed in mrb_vm_exec; ref #3668 #4104

31a961a

ksekimoto added a commit to ksekimoto/mruby that referenced this issue Jul 16, 2021

The current context may be changed in mrb_vm_exec; ref mruby#3668 m…

3bd0be9

…ruby#4104

Heap buffer overflow in OP_GETUPVAR #3668

Heap buffer overflow in OP_GETUPVAR #3668

Comments

clayton-shopify commented May 26, 2017