Skip to content

Null pointer dereference in OP_CALL #3678

Closed
@clayton-shopify

Description

@clayton-shopify

The following input demonstrates a crash:

class X < Proc
1.times{
    super()
}
end

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==31258==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001006b06d6 bp 0x7fff5f6bd030 sp 0x7fff5f6b5120 T0)
==31258==The signal is caused by a READ memory access.
==31258==Hint: address points to the zero page.
    #0 0x1006b06d5 in mrb_vm_exec vm.c:1392
    #1 0x1006a39f3 in mrb_vm_run vm.c:862
    #2 0x1006d7cdf in mrb_top_run vm.c:2764
    #3 0x1007a9dd5 in mrb_load_exec parse.y:5780
    #4 0x1007aa725 in mrb_load_file_cxt parse.y:5789
    #5 0x100542e56 in main mruby.c:227
    #6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==31258==Register values:
rax = 0x000060400000efd0  rbx = 0xf2f2f200f2f20000  rcx = 0x001e76f0004b9ca0  rdx = 0x000062f00000c3f8
rdi = 0x0000100000000000  rsi = 0x0003dede00097394  rbp = 0x00007fff5f6bd030  rsp = 0x00007fff5f6b5120
 r8 = 0x0000100000000000   r9 = 0xf6e03d9b8bc60000  r10 = 0x0000100000000000  r11 = 0x00001e2f5f69fa00
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffebed7848  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:1392 in mrb_vm_exec
==31258==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions