/mruby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in gc_each_objects #3681

Closed
clayton-shopify opened this Issue May 31, 2017 · 0 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@clayton-shopify
@clayton-shopify
Contributor

clayton-shopify commented May 31, 2017

The following input demonstrates a crash:

ObjectSpace.each_object { GC.generational_mode = nil }

It looks like this is another way to cause a garbage collection during each_object, like in #3616.

ASAN report:

==48055==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f00000e410 at pc 0x00010ac5db1c bp 0x7fff55016b70 sp 0x7fff55016b68
READ of size 8 at 0x62f00000e410 thread T0
    #0 0x10ac5db1b in gc_each_objects gc.c:1501
    #1 0x10ac5d594 in mrb_objspace_each_objects gc.c:1520
    #2 0x10ade1f76 in os_each_object mruby_objectspace.c:172
    #3 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #4 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #5 0x10ad75cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #6 0x10ae47dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #7 0x10ae48725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #8 0x10abe0e46 in main mruby.c:227
    #9 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x62f00000e410 is located 16 bytes inside of 49200-byte region [0x62f00000e400,0x62f00001a430)
freed by thread T0 here:
    #0 0x10aff3356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x10acd5316 in mrb_default_allocf (mruby:x86_64+0x1000f6316)
    #2 0x10ac573c9 in mrb_free gc.c:270
    #3 0x10ac61cbf in incremental_sweep_phase gc.c:1059
    #4 0x10ac604bc in incremental_gc gc.c:1100
    #5 0x10ac5bd16 in incremental_gc_until gc.c:1116
    #6 0x10ac5c117 in clear_all_old gc.c:1142
    #7 0x10ac650e1 in change_gen_gc_mode gc.c:1439
    #8 0x10ac5f9f4 in gc_generational_mode_set gc.c:1480
    #9 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #10 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #11 0x10ad3986e in mrb_run (mruby:x86_64+0x10015a86e)
    #12 0x10ad3fa16 in mrb_yield_with_class (mruby:x86_64+0x100160a16)
    #13 0x10ad406f8 in mrb_yield (mruby:x86_64+0x1001616f8)
    #14 0x10ade31bf in os_each_object_cb mruby_objectspace.c:140
    #15 0x10ac5dac8 in gc_each_objects gc.c:1498
    #16 0x10ac5d594 in mrb_objspace_each_objects gc.c:1520
    #17 0x10ade1f76 in os_each_object mruby_objectspace.c:172
    #18 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
    #19 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #20 0x10ad75cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #21 0x10ae47dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #22 0x10ae48725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #23 0x10abe0e46 in main mruby.c:227
    #24 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10aff3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10acd52ff in mrb_default_allocf (mruby:x86_64+0x1000f62ff)
    #2 0x10ac56078 in mrb_realloc_simple gc.c:203
    #3 0x10ac567ce in mrb_realloc gc.c:217
    #4 0x10ac57253 in mrb_malloc gc.c:238
    #5 0x10ac572ed in mrb_calloc gc.c:256
    #6 0x10ac57899 in add_heap gc.c:326
    #7 0x10ac5a987 in mrb_obj_alloc gc.c:512
    #8 0x10acc45f3 in mrb_proc_new (mruby:x86_64+0x1000e55f3)
    #9 0x10ac94364 in mrb_load_irep_cxt (mruby:x86_64+0x1000b5364)
    #10 0x10ac954af in mrb_load_irep (mruby:x86_64+0x1000b64af)
    #11 0x10adcc7df in GENERATED_TMP_mrb_mruby_range_ext_gem_init (mruby:x86_64+0x1001ed7df)
    #12 0x10ae677ee in mrb_init_mrbgems (mruby:x86_64+0x1002887ee)
    #13 0x10acd54b1 in mrb_open_allocf (mruby:x86_64+0x1000f64b1)
    #14 0x10acd5457 in mrb_open (mruby:x86_64+0x1000f6457)
    #15 0x10abdfd58 in main mruby.c:171
    #16 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:1501 in gc_each_objects
Shadow bytes around the buggy address:
  0x1c5e00001c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00001c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00001c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00001c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00001c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c5e00001c80: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00001c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00001ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00001cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00001cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00001cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==48055==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in 51e0e69 Jun 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment