New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_obj_iv_get #3672

Closed
clayton-shopify opened this Issue May 29, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 29, 2017

The following input demonstrates a crash:

ObjectSpace.each_object {|x| p x }
ObjectSpace.each_object {|x| p x }
ObjectSpace.each_object {|x| p x }

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==9601==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010b69eca7 bp 0x7fff5468d7d0 sp 0x7fff5468d660 T0)
==9601==The signal is caused by a READ memory access.
==9601==Hint: address points to the zero page.
    #0 0x10b69eca6 in mrb_obj_iv_get variable.c:473
    #1 0x10b59cc2c in mrb_class_path class.c:1595
    #2 0x10b59e46f in mrb_class_name class.c:1644
    #3 0x10b59ef52 in mrb_obj_classname class.c:1656
    #4 0x10b63a96a in mrb_any_to_s object.c:442
    #5 0x10b60358f in mrb_method_missing kernel.c:936
    #6 0x10b6cb24b in mrb_vm_exec vm.c:1291
    #7 0x10b6c0aa3 in mrb_vm_run vm.c:862
    #8 0x10b6b893e in mrb_run vm.c:2748
    #9 0x10b6beae6 in mrb_yield_with_class vm.c:715
    #10 0x10b6bf7c8 in mrb_yield vm.c:735
    #11 0x10b7621bf in os_each_object_cb mruby_objectspace.c:140
    #12 0x10b5dcb88 in gc_each_objects gc.c:1498
    #13 0x10b5dc654 in mrb_objspace_each_objects gc.c:1520
    #14 0x10b760f76 in os_each_object mruby_objectspace.c:172
    #15 0x10b6cc256 in mrb_vm_exec vm.c:1329
    #16 0x10b6c0aa3 in mrb_vm_run vm.c:862
    #17 0x10b6f4cdf in mrb_top_run vm.c:2763
    #18 0x10b7c6dd5 in mrb_load_exec parse.y:5780
    #19 0x10b7c7725 in mrb_load_file_cxt parse.y:5789
    #20 0x10b55ff06 in main mruby.c:227
    #21 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==9601==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff5468d6c0  rcx = 0x000061400000a440  rdx = 0x00001fffea8d1acc
rdi = 0x00007fff5468d680  rsi = 0x0000000000000000  rbp = 0x00007fff5468d7d0  rsp = 0x00007fff5468d660
 r8 = 0x00007fff5468d6a0   r9 = 0x00000000000002a2  r10 = 0x0000000000000018  r11 = 0x0000100000000003
r12 = 0x00007fff5468d820  r13 = 0x00007fff5468d840  r14 = 0x0000100000000000  r15 = 0x00007fff5468d800
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV variable.c:473 in mrb_obj_iv_get
==9601==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz matz closed this in 4b15d5d May 30, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment