New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_obj_iv_get #3676

Closed
clayton-shopify opened this Issue May 30, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 30, 2017

The following input demonstrates a crash:

h = {}
a =String [a]

It seems the problem was caused by abed375.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==20379==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010d2b3ce7 bp 0x7fff52a78210 sp 0x7fff52a780a0 T0)
==20379==The signal is caused by a READ memory access.
==20379==Hint: address points to the zero page.
    #0 0x10d2b3ce6 in mrb_obj_iv_get (mruby:x86_64+0x100140ce6)
    #1 0x10d1b1c6c in mrb_class_path (mruby:x86_64+0x10003ec6c)
    #2 0x10d1b34af in mrb_class_name (mruby:x86_64+0x1000404af)
    #3 0x10d1b3f92 in mrb_obj_classname (mruby:x86_64+0x100040f92)
    #4 0x10d24f9aa in mrb_any_to_s (mruby:x86_64+0x1000dc9aa)
    #5 0x10d2185cf in mrb_method_missing (mruby:x86_64+0x1000a55cf)
    #6 0x10d2e028b in mrb_vm_exec (mruby:x86_64+0x10016d28b)
    #7 0x10d2d5ae3 in mrb_vm_run (mruby:x86_64+0x100162ae3)
    #8 0x10d2cd97e in mrb_run (mruby:x86_64+0x10015a97e)
    #9 0x10d2cb304 in mrb_funcall_with_block (mruby:x86_64+0x100158304)
    #10 0x10d2c7ed7 in mrb_funcall_argv (mruby:x86_64+0x100154ed7)
    #11 0x10d24c9be in convert_type (mruby:x86_64+0x1000d99be)
    #12 0x10d24dada in mrb_check_convert_type (mruby:x86_64+0x1000daada)
    #13 0x10d381db7 in mrb_f_string (mruby:x86_64+0x10020edb7)
    #14 0x10d2e1296 in mrb_vm_exec (mruby:x86_64+0x10016e296)
    #15 0x10d2d5ae3 in mrb_vm_run (mruby:x86_64+0x100162ae3)
    #16 0x10d309d1f in mrb_top_run (mruby:x86_64+0x100196d1f)
    #17 0x10d3dbdd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #18 0x10d3dc725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #19 0x10d174f46 in main mruby.c:227
    #20 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==20379==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff52a78100  rcx = 0x000061400000a440  rdx = 0x00001fffea54f014
rdi = 0x00007fff52a780c0  rsi = 0x0000000000000000  rbp = 0x00007fff52a78210  rsp = 0x00007fff52a780a0
 r8 = 0x00007fff52a780e0   r9 = 0x00000000000002a3  r10 = 0x0000000000000018  r11 = 0x0000100000000003
r12 = 0x00007fff52a78260  r13 = 0x00007fff52a78280  r14 = 0x0000100000000000  r15 = 0x00007fff52a78240
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x100140ce6) in mrb_obj_iv_get
==20379==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment