New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_GETCONST #3686

Closed
clayton-shopify opened this Issue Jun 1, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 1, 2017

The following input demonstrates a crash:

loop do
  Module.initialize { break }
  break
end
puts break[0].to_s

It seems this issue was introduced in eb5a606. Prior to that commit, the program exits with LocalJumpError:unexpected break.

ASAN report:

==12392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001f09c at pc 0x000105374c89 bp 0x7fff5a9e9130 sp 0x7fff5a9e9128
READ of size 4 at 0x60200001f09c thread T0
    #0 0x105374c88 in mrb_vm_exec (mruby:x86_64+0x100167c88)
    #1 0x105370886 in mrb_vm_run (mruby:x86_64+0x100163886)
    #2 0x1053a49bf in mrb_top_run (mruby:x86_64+0x1001979bf)
    #3 0x105476d95 in mrb_load_exec (mruby:x86_64+0x100269d95)
    #4 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
    #5 0x10520fa46 in main mruby.c:227
    #6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x60200001f09c is located 0 bytes to the right of 12-byte region [0x60200001f090,0x60200001f09c)
allocated by thread T0 here:
    #0 0x105620520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x105304155 in mrb_default_allocf (mruby:x86_64+0x1000f7155)
    #2 0x105284de8 in mrb_realloc_simple gc.c:203
    #3 0x105437f45 in codegen_realloc (mruby:x86_64+0x10022af45)
    #4 0x10544861c in scope_finish (mruby:x86_64+0x10023b61c)
    #5 0x10543aa7a in scope_body (mruby:x86_64+0x10022da7a)
    #6 0x105425cc5 in codegen (mruby:x86_64+0x100218cc5)
    #7 0x10541f3b1 in mrb_generate_code (mruby:x86_64+0x1002123b1)
    #8 0x105476210 in mrb_load_exec (mruby:x86_64+0x100269210)
    #9 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
    #10 0x10520fa46 in main mruby.c:227
    #11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x100167c88) in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c0400003dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003df0: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 00 00
  0x1c0400003e00: fa fa 00 00 fa fa 00 06 fa fa 00 fa fa fa 00 fa
=>0x1c0400003e10: fa fa 00[04]fa fa 00 00 fa fa 00 06 fa fa 00 02
  0x1c0400003e20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 02
  0x1c0400003e30: fa fa 00 06 fa fa 04 fa fa fa 00 fa fa fa 04 fa
  0x1c0400003e40: fa fa 00 fa fa fa 00 00 fa fa fd fd fa fa 00 00
  0x1c0400003e50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c0400003e60: fa fa 00 06 fa fa fd fd fa fa 00 06 fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12392==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz matz closed this in 079f310 Jun 2, 2017

matz added a commit that referenced this issue Jun 2, 2017

matz added a commit that referenced this issue Jun 3, 2017

Revert "Simplify rescue stack management; ref #3683"
This reverts commit eb5a606 and
079f310.
The rescue stack works differently from ensure stack, so the change
caused #3686 and #3688. It might take long to solve the problems,
so that I would revert the changes for now. Fix #3688
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment