New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in OP_CALL #3678

Closed
clayton-shopify opened this Issue May 30, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 30, 2017

The following input demonstrates a crash:

class X < Proc
1.times{
    super()
}
end

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==31258==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001006b06d6 bp 0x7fff5f6bd030 sp 0x7fff5f6b5120 T0)
==31258==The signal is caused by a READ memory access.
==31258==Hint: address points to the zero page.
    #0 0x1006b06d5 in mrb_vm_exec vm.c:1392
    #1 0x1006a39f3 in mrb_vm_run vm.c:862
    #2 0x1006d7cdf in mrb_top_run vm.c:2764
    #3 0x1007a9dd5 in mrb_load_exec parse.y:5780
    #4 0x1007aa725 in mrb_load_file_cxt parse.y:5789
    #5 0x100542e56 in main mruby.c:227
    #6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==31258==Register values:
rax = 0x000060400000efd0  rbx = 0xf2f2f200f2f20000  rcx = 0x001e76f0004b9ca0  rdx = 0x000062f00000c3f8
rdi = 0x0000100000000000  rsi = 0x0003dede00097394  rbp = 0x00007fff5f6bd030  rsp = 0x00007fff5f6b5120
 r8 = 0x0000100000000000   r9 = 0xf6e03d9b8bc60000  r10 = 0x0000100000000000  r11 = 0x00001e2f5f69fa00
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffebed7848  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:1392 in mrb_vm_exec
==31258==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment