New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in kh_get_iv #3687

Closed
clayton-shopify opened this Issue Jun 1, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 1, 2017

The following input demonstrates a crash:

Array.dup.singleton_class[0].to_s

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==24005==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x00010396ee3f bp 0x7fff5c3c4fb0 sp 0x7fff5c3c4ed0 T0)
==24005==The signal is caused by a READ memory access.
==24005==Hint: address points to the zero page.
    #0 0x10396ee3e in kh_get_iv variable.c:292
    #1 0x103971c3e in iv_get variable.c:320
    #2 0x103971a6a in mrb_obj_iv_get variable.c:473
    #3 0x10387018c in mrb_class_path class.c:1595
    #4 0x103880ade in mrb_mod_to_s class.c:1786
    #5 0x10399eedf in mrb_vm_exec vm.c:1327
    #6 0x103993886 in mrb_vm_run vm.c:861
    #7 0x1039c79bf in mrb_top_run vm.c:2750
    #8 0x103a99d95 in mrb_load_exec parse.y:5780
    #9 0x103a9a6e5 in mrb_load_file_cxt parse.y:5789
    #10 0x103832a46 in main mruby.c:227
    #11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==24005==Register values:
rax = 0x0000000000000001  rbx = 0x00007fff5c3c50a0  rcx = 0x0000100000000000  rdx = 0x0000000000000882
rdi = 0x0000100000000000  rsi = 0x0000000000000001  rbp = 0x00007fff5c3c4fb0  rsp = 0x00007fff5c3c4ed0
 r8 = 0x00007fff5c3c5000   r9 = 0x00000000000002a2  r10 = 0x000062f000001c48  r11 = 0x00001c5e00000389
r12 = 0x00007fff5c3c5200  r13 = 0x00007fff5c3c5220  r14 = 0x0000100000000000  r15 = 0x00007fff5c3c51e0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV variable.c:292 in kh_get_iv
==24005==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in a8bf374 Jun 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment