New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in ecall #3683

Closed
clayton-shopify opened this Issue May 31, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 31, 2017

The following input demonstrates a crash:

def a
  yield
ensure
  Array.new.uniq {}
end

def b
  yield
ensure
  lambda { a { a a { return proc{} } } }.call
end

GC.start

lambda { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { return proc{} } } } } } } } } } } } } } } } } } } } } } } }.call

ASAN report:

==53746==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x000107e76d81 bp 0x7fff57f13110 sp 0x7fff57f12d60 T0)
==53746==The signal is caused by a READ memory access.
==53746==Hint: address points to the zero page.
    #0 0x107e76d80 in ecall vm.c:323
    #1 0x107e5de06 in mrb_vm_exec vm.c:1920
    #2 0x107e459e6 in mrb_vm_run vm.c:866
    #3 0x107e79cdf in mrb_top_run vm.c:2768
    #4 0x107f4bdd5 in mrb_load_exec parse.y:5780
    #5 0x107f4c725 in mrb_load_file_cxt parse.y:5789
    #6 0x107ce4e46 in main mruby.c:227
    #7 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==53746==Register values:
rax = 0x0000000000000002  rbx = 0x00007fff57f12dc0  rcx = 0x0000000000000002  rdx = 0x0000100000000000
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff57f13110  rsp = 0x00007fff57f12d60
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0x00001c280000148c  r11 = 0x0000100000000000
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeafe3448  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:323 in ecall
==53746==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in 7ff90b5 Jun 1, 2017

matz added a commit that referenced this issue Jun 1, 2017

matz added a commit that referenced this issue Jun 3, 2017

Revert "Simplify rescue stack management; ref #3683"
This reverts commit eb5a606 and
079f310.
The rescue stack works differently from ensure stack, so the change
caused #3686 and #3688. It might take long to solve the problems,
so that I would revert the changes for now. Fix #3688
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment