New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_CALL #3685

Closed
clayton-shopify opened this Issue Jun 1, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 1, 2017

The following input demonstrates a crash, when supplied to mirb:

b = []
def g
yield
end
m = Array.new{} .
lambda{ g{ return proc{}}}.call 
Array.new  b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b,b
m[0]

ASAN report:

==2913==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001cce0 at pc 0x0001013482f8 bp 0x7fff5ecb97b0 sp 0x7fff5ecb8f60
READ of size 16 at 0x61d00001cce0 thread T0
    #0 0x1013482f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x1010af190 in mrb_vm_exec vm.c:1435
    #2 0x1010a1256 in mrb_vm_run vm.c:861
    #3 0x100f3ee99 in main mirb.c:549
    #4 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001cce0 is located 96 bytes inside of 2048-byte region [0x61d00001cc80,0x61d00001d480)
freed by thread T0 here:
    #0 0x101351520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x101034b25 in mrb_default_allocf state.c:60
    #2 0x100fb57b8 in mrb_realloc_simple gc.c:203
    #3 0x100fb5f0e in mrb_realloc gc.c:217
    #4 0x1010d5e1f in stack_extend_alloc vm.c:165
    #5 0x10109836f in stack_extend vm.c:186
    #6 0x101096043 in mrb_funcall_with_block vm.c:432
    #7 0x100f7b3e9 in mrb_instance_new class.c:1431
    #8 0x1010ac8af in mrb_vm_exec vm.c:1327
    #9 0x1010a1256 in mrb_vm_run vm.c:861
    #10 0x100f3ee99 in main mirb.c:549
    #11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x101351520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x101034b25 in mrb_default_allocf state.c:60
    #2 0x100fb57b8 in mrb_realloc_simple gc.c:203
    #3 0x100fb5f0e in mrb_realloc gc.c:217
    #4 0x100fb69a3 in mrb_malloc gc.c:239
    #5 0x100fb6a3d in mrb_calloc gc.c:257
    #6 0x1010972e2 in stack_init vm.c:105
    #7 0x1010944a0 in mrb_funcall_with_block vm.c:385
    #8 0x101093dda in mrb_funcall_with_block vm.c:363
    #9 0x1010935c7 in mrb_funcall_argv vm.c:464
    #10 0x100f7c1f5 in mrb_obj_new class.c:1445
    #11 0x100fa0e0d in mrb_exc_new_str error.c:32
    #12 0x100fa99f7 in mrb_init_exception error.c:490
    #13 0x100fd9c54 in mrb_init_core init.c:42
    #14 0x101034abe in mrb_open_core state.c:47
    #15 0x101034c8c in mrb_open_allocf state.c:107
    #16 0x101034c57 in mrb_open state.c:99
    #17 0x100f3d916 in main mirb.c:384
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3a00003990: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x1c3a000039a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a000039b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a000039c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a000039d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a000039e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2913==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@clayton-shopify clayton-shopify changed the title from Heap user-after-free in OP_CALL to Heap use-after-free in OP_CALL Jun 1, 2017

@matz matz closed this in 6a66ce1 Jun 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment