Heap buffer overflow in stack_clear

[clayton-shopify]

The following input demonstrates a crash:

def a
rescue *nil
ensure
  x y = a { return }
end

a { foo a }

It appears this problem was introduced in acd3ac6.

ASAN report:

==51967==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d480 at pc 0x00010271a4ca bp 0x7fff5d854240 sp 0x7fff5d8539f0
WRITE of size 16 at 0x61d00001d480 thread T0
    #0 0x10271a4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x102473db0 in stack_clear (mruby:x86_64+0x100162db0)
    #2 0x1024738f0 in mrb_vm_run (mruby:x86_64+0x1001628f0)
    #3 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #4 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #5 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #6 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #7 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #8 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #9 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #10 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #11 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #12 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #13 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #14 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #15 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #16 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #17 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #18 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #19 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #20 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #21 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #22 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #23 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #24 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #25 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #26 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #27 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #28 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #29 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #30 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #31 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #32 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #33 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #34 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #35 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #36 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #37 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #38 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #39 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #40 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #41 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #42 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #43 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #44 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #45 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #46 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #47 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #48 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #49 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #50 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #51 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #52 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #53 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #54 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #55 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #56 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #57 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #58 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #59 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #60 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #61 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #62 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #63 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #64 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #65 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #66 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #67 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #68 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #69 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #70 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #71 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
    #72 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
    #73 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
    #74 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
    #75 0x1024a7cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
    #76 0x102579dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
    #77 0x10257a725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
    #78 0x102312e36 in main mruby.c:227
    #79 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d480 is located 0 bytes to the right of 2048-byte region [0x61d00001cc80,0x61d00001d480)
allocated by thread T0 here:
    #0 0x102723520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1024072ff in mrb_default_allocf (mruby:x86_64+0x1000f62ff)
    #2 0x102388068 in mrb_realloc_simple gc.c:203
    #3 0x1023887be in mrb_realloc gc.c:217
    #4 0x102389243 in mrb_malloc gc.c:238
    #5 0x1023892dd in mrb_calloc gc.c:256
    #6 0x102469ae2 in stack_init (mruby:x86_64+0x100158ae2)
    #7 0x102466ca0 in mrb_funcall_with_block (mruby:x86_64+0x100155ca0)
    #8 0x1024665da in mrb_funcall_with_block (mruby:x86_64+0x1001555da)
    #9 0x102465dc7 in mrb_funcall_argv (mruby:x86_64+0x100154dc7)
    #10 0x10234e1f5 in mrb_obj_new (mruby:x86_64+0x10003d1f5)
    #11 0x102372e0d in mrb_exc_new_str (mruby:x86_64+0x100061e0d)
    #12 0x10237b9f7 in mrb_init_exception (mruby:x86_64+0x10006a9f7)
    #13 0x1023ac434 in mrb_init_core (mruby:x86_64+0x10009b434)
    #14 0x1024072ae in mrb_open_core (mruby:x86_64+0x1000f62ae)
    #15 0x10240748c in mrb_open_allocf (mruby:x86_64+0x1000f648c)
    #16 0x102407457 in mrb_open (mruby:x86_64+0x1000f6457)
    #17 0x102311d48 in main mruby.c:171
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3a00003a90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==51967==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong