New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_CALL #3680

Closed
clayton-shopify opened this Issue May 30, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 30, 2017

The following input demonstrates a crash:

class NoMethodError
  def initialize(*)
  end

  ObjectSpace.each_object{ |obj| obj===[] }
end

ASAN report:

==34086==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001d270 at pc 0x000110bd02f8 bp 0x7fff4fc03df0 sp 0x7fff4fc035a0
READ of size 16 at 0x61d00001d270 thread T0
    #0 0x110bd02f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x110121ae7 in mrb_vm_exec (mruby:x86_64+0x100170ae7)
    #2 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #3 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #4 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #5 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #6 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #7 0x11002fa18 in gc_each_objects gc.c:1498
    #8 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #9 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #10 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #11 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #12 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #13 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #14 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #15 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #16 0x11002fa18 in gc_each_objects gc.c:1498
    #17 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #18 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #19 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #20 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #21 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #22 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #23 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #24 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #25 0x11002fa18 in gc_each_objects gc.c:1498
    #26 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #27 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #28 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #29 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #30 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #31 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #32 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #33 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #34 0x11002fa18 in gc_each_objects gc.c:1498
    #35 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #36 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #37 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #38 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #39 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #40 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #41 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #42 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #43 0x11002fa18 in gc_each_objects gc.c:1498
    #44 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #45 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #46 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #47 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #48 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #49 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #50 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #51 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #52 0x11002fa18 in gc_each_objects gc.c:1498
    #53 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #54 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #55 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #56 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #57 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #58 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #59 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #60 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #61 0x11002fa18 in gc_each_objects gc.c:1498
    #62 0x11002f4e4 in mrb_objspace_each_objects gc.c:1520
    #63 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #64 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #65 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #66 0x110147cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #67 0x110219dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #68 0x11021a725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #69 0x10ffb2d96 in main mruby.c:227
    #70 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d270 is located 1520 bytes inside of 2048-byte region [0x61d00001cc80,0x61d00001d480)
freed by thread T0 here:
    #0 0x110bd9520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1100a725f in mrb_default_allocf (mruby:x86_64+0x1000f625f)
    #2 0x110027fc8 in mrb_realloc_simple gc.c:203
    #3 0x11002871e in mrb_realloc gc.c:217
    #4 0x11014876f in stack_extend_alloc (mruby:x86_64+0x10019776f)
    #5 0x11010aacf in stack_extend (mruby:x86_64+0x100159acf)
    #6 0x1101087a3 in mrb_funcall_with_block (mruby:x86_64+0x1001577a3)
    #7 0x110105d27 in mrb_funcall_argv (mruby:x86_64+0x100154d27)
    #8 0x11010579e in mrb_funcall (mruby:x86_64+0x10015479e)
    #9 0x110086b36 in mrb_equal (mruby:x86_64+0x1000d5b36)
    #10 0x1100597b4 in mrb_equal_m (mruby:x86_64+0x1000a87b4)
    #11 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #12 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #13 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #14 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #15 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #16 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #17 0x11002fa18 in gc_each_objects gc.c:1498
    #18 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #19 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #20 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #21 0x1101139f3 in mrb_vm_run (mruby:x86_64+0x1001629f3)
    #22 0x11010b7ce in mrb_run (mruby:x86_64+0x10015a7ce)
    #23 0x110111976 in mrb_yield_with_class (mruby:x86_64+0x100160976)
    #24 0x110112658 in mrb_yield (mruby:x86_64+0x100161658)
    #25 0x1101b51bf in os_each_object_cb mruby_objectspace.c:140
    #26 0x11002fa18 in gc_each_objects gc.c:1498
    #27 0x11002f3f0 in mrb_objspace_each_objects gc.c:1512
    #28 0x1101b3f76 in os_each_object mruby_objectspace.c:172
    #29 0x11011f206 in mrb_vm_exec (mruby:x86_64+0x10016e206)

previously allocated by thread T0 here:
    #0 0x110bd9520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1100a725f in mrb_default_allocf (mruby:x86_64+0x1000f625f)
    #2 0x110027fc8 in mrb_realloc_simple gc.c:203
    #3 0x11002871e in mrb_realloc gc.c:217
    #4 0x1100291a3 in mrb_malloc gc.c:238
    #5 0x11002923d in mrb_calloc gc.c:256
    #6 0x110109a42 in stack_init (mruby:x86_64+0x100158a42)
    #7 0x110106c00 in mrb_funcall_with_block (mruby:x86_64+0x100155c00)
    #8 0x11010653a in mrb_funcall_with_block (mruby:x86_64+0x10015553a)
    #9 0x110105d27 in mrb_funcall_argv (mruby:x86_64+0x100154d27)
    #10 0x10ffee155 in mrb_obj_new (mruby:x86_64+0x10003d155)
    #11 0x110012d6d in mrb_exc_new_str (mruby:x86_64+0x100061d6d)
    #12 0x11001b957 in mrb_init_exception (mruby:x86_64+0x10006a957)
    #13 0x11004c394 in mrb_init_core (mruby:x86_64+0x10009b394)
    #14 0x1100a720e in mrb_open_core (mruby:x86_64+0x1000f620e)
    #15 0x1100a73ec in mrb_open_allocf (mruby:x86_64+0x1000f63ec)
    #16 0x1100a73b7 in mrb_open (mruby:x86_64+0x1000f63b7)
    #17 0x10ffb1ca8 in main mruby.c:171
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a000039f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3a00003a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x1c3a00003a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==34086==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz matz closed this in 72b635f Jun 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment