New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault (invalid read) in get_file #3669

Closed
clayton-shopify opened this Issue May 26, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 26, 2017

The following input demonstrates a crash when supplied to mirb:

def a
  yield
ensure
lambda { return }.call
end

lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a {} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{ return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{a a { return proc{}} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }} }}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{ return proc{ return proc{ return proc{ return proc{ return proc{ return proc{}}}}}}}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call
lambda { a {a a { return proc{}} } }.call

ASAN report:

==71056==ERROR: AddressSanitizer: SEGV on unknown address 0x7fff00018bc8 (pc 0x00010fb358c5 bp 0x7fff50125fb0 sp 0x7fff50125e80 T0)
==71056==The signal is caused by a READ memory access.
    #0 0x10fb358c4 in get_file debug.c:19
    #1 0x10fb356d0 in mrb_debug_get_filename debug.c:59
    #2 0x10fcc5d06 in mrb_proc_inspect (mirb:x86_64+0x1001f0d06)
    #3 0x10fc2ef32 in mrb_funcall_with_block vm.c:451
    #4 0x10fc2c71a in mrb_funcall_with_block vm.c:367
    #5 0x10fc2bf07 in mrb_funcall_argv vm.c:468
    #6 0x10fc2b97e in mrb_funcall vm.c:352
    #7 0x10fad954b in p mirb.c:92
    #8 0x10fad7ee4 in main mirb.c:564
    #9 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

==71056==Register values:
rax = 0x00007fff00018bc8  rbx = 0x00007fff501261c0  rcx = 0x0000000000000002  rdx = 0x0000000000000000
rdi = 0x00001fffe0003179  rsi = 0x00007fff00018bc8  rbp = 0x00007fff50125fb0  rsp = 0x00007fff50125e80
 r8 = 0x0000100000000000   r9 = 0x0000100000000000  r10 = 0x0000100000000000  r11 = 0xffffffffffffffe0
r12 = 0x00007fff50126100  r13 = 0x00007fff50126120  r14 = 0x00007fff501260c0  r15 = 0x00007fff501260e0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV debug.c:19 in get_file
==71056==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify May 26, 2017

Contributor

A second input producing what appears to be the same crash (and can be supplied to mruby instead of mirb):

def a
  yield
ensure
  GC.start
end
+lambda { a { a { a { return proc{} } } } }.call

This input was reported by https://hackerone.com/flamezzz

Contributor

clayton-shopify commented May 26, 2017

A second input producing what appears to be the same crash (and can be supplied to mruby instead of mirb):

def a
  yield
ensure
  GC.start
end
+lambda { a { a { a { return proc{} } } } }.call

This input was reported by https://hackerone.com/flamezzz

@matz matz closed this in 02670ff May 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment