New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in stack_clear #3682

Closed
clayton-shopify opened this Issue May 31, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 31, 2017

The following input demonstrates a crash:

def a
rescue *nil
ensure
  x y = a { return }
end

a { foo a }

It appears this problem was introduced in acd3ac6.

ASAN report:

==51967==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d480 at pc 0x00010271a4ca bp 0x7fff5d854240 sp 0x7fff5d8539f0
WRITE of size 16 at 0x61d00001d480 thread T0
    #0 0x10271a4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x102473db0 in stack_clear (mruby:x86_64+0x100162db0)
    #2 0x1024738f0 in mrb_vm_run (mruby:x86_64+0x1001628f0)
    #3 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #4 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #5 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #6 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #7 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #8 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #9 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #10 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #11 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #12 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #13 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #14 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #15 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #16 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #17 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #18 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #19 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #20 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #21 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #22 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #23 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #24 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #25 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #26 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #27 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #28 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #29 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #30 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #31 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #32 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #33 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #34 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #35 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #36 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #37 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #38 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #39 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #40 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #41 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #42 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #43 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #44 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #45 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #46 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #47 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #48 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #49 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #50 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #51 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #52 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #53 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #54 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #55 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #56 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #57 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #58 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #59 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #60 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #61 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #62 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #63 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #64 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #65 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #66 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #67 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #68 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #69 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #70 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #71 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #72 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #73 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #74 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #75 0x1024a7cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #76 0x102579dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #77 0x10257a725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #78 0x102312e36 in main mruby.c:227
    #79 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d480 is located 0 bytes to the right of 2048-byte region [0x61d00001cc80,0x61d00001d480)
allocated by thread T0 here:
    #0 0x102723520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1024072ff in mrb_default_allocf (mruby:x86_64+0x1000f62ff)
    #2 0x102388068 in mrb_realloc_simple gc.c:203
    #3 0x1023887be in mrb_realloc gc.c:217
    #4 0x102389243 in mrb_malloc gc.c:238
    #5 0x1023892dd in mrb_calloc gc.c:256
    #6 0x102469ae2 in stack_init (mruby:x86_64+0x100158ae2)
    #7 0x102466ca0 in mrb_funcall_with_block (mruby:x86_64+0x100155ca0)
    #8 0x1024665da in mrb_funcall_with_block (mruby:x86_64+0x1001555da)
    #9 0x102465dc7 in mrb_funcall_argv (mruby:x86_64+0x100154dc7)
    #10 0x10234e1f5 in mrb_obj_new (mruby:x86_64+0x10003d1f5)
    #11 0x102372e0d in mrb_exc_new_str (mruby:x86_64+0x100061e0d)
    #12 0x10237b9f7 in mrb_init_exception (mruby:x86_64+0x10006a9f7)
    #13 0x1023ac434 in mrb_init_core (mruby:x86_64+0x10009b434)
    #14 0x1024072ae in mrb_open_core (mruby:x86_64+0x1000f62ae)
    #15 0x10240748c in mrb_open_allocf (mruby:x86_64+0x1000f648c)
    #16 0x102407457 in mrb_open (mruby:x86_64+0x1000f6457)
    #17 0x102311d48 in main mruby.c:171
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3a00003a90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==51967==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz matz closed this in 87cc034 Jun 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment