New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_vm_exec #3673

Closed
clayton-shopify opened this Issue May 29, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 29, 2017

The following input demonstrates a crash:

def a 
    Fiber.new{yield}.resume 
end
1.times { lambda{ a {  return } } .call }

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==11180==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010289f5a8 bp 0x7fff5d4da030 sp 0x7fff5d4d2140 T0)
==11180==The signal is caused by a READ memory access.
==11180==Hint: address points to the zero page.
    #0 0x10289f5a7 in mrb_vm_exec (mruby:x86_64+0x10017b5a7)
    #1 0x102886aa3 in mrb_vm_run (mruby:x86_64+0x100162aa3)
    #2 0x1028bacdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #3 0x10298cdd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #4 0x10298d725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #5 0x102725f06 in main mruby.c:227
    #6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==11180==Register values:
rax = 0x0000000000000018  rbx = 0xf2f2f200f2f20000  rcx = 0x0000000000000018  rdx = 0x0000100000000003
rdi = 0x000061400000a460  rsi = 0x0000100000000000  rbp = 0x00007fff5d4da030  rsp = 0x00007fff5d4d2140
 r8 = 0x0000100000000000   r9 = 0x2493106171cc0000  r10 = 0x00007fff5d4d1a80  r11 = 0x00001e6f5d4ca960
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeba9b248  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x10017b5a7) in mrb_vm_exec
==11180==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in ef11584 May 30, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment