New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_SEND #3692

Closed
clayton-shopify opened this Issue Jun 5, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 5, 2017

The following input demonstrates a crash:

def a(n)
  if n >= 0
    instance_exec(0) {}
    a(n-1)
  end
end

a(1000)

ASAN report:

==59006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62300000dd00 at pc 0x00010a51f2f8 bp 0x7fff55ae2f90 sp 0x7fff55ae2740
READ of size 16 at 0x62300000dd00 thread T0
    #0 0x10a51f2f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x10a281cc6 in mrb_vm_exec (mruby:x86_64+0x10016ecc6)
    #2 0x10a2762e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #3 0x10a2aae0f in mrb_top_run (mruby:x86_64+0x100197e0f)
    #4 0x10a37d9d5 in mrb_load_exec (mruby:x86_64+0x10026a9d5)
    #5 0x10a37e325 in mrb_load_file_cxt (mruby:x86_64+0x10026b325)
    #6 0x10a1155b6 in main mruby.c:227
    #7 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x62300000dd00 is located 0 bytes to the right of 6144-byte region [0x62300000c500,0x62300000dd00)
allocated by thread T0 here:
    #0 0x10a528520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10a209be5 in mrb_default_allocf (mruby:x86_64+0x1000f6be5)
    #2 0x10a18a958 in mrb_realloc_simple gc.c:203
    #3 0x10a18b0ae in mrb_realloc gc.c:217
    #4 0x10a2ab89f in stack_extend_alloc (mruby:x86_64+0x10019889f)
    #5 0x10a26d42f in stack_extend (mruby:x86_64+0x10015a42f)
    #6 0x10a282b9e in mrb_vm_exec (mruby:x86_64+0x10016fb9e)
    #7 0x10a2762e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #8 0x10a2aae0f in mrb_top_run (mruby:x86_64+0x100197e0f)
    #9 0x10a37d9d5 in mrb_load_exec (mruby:x86_64+0x10026a9d5)
    #10 0x10a37e325 in mrb_load_file_cxt (mruby:x86_64+0x10026b325)
    #11 0x10a1155b6 in main mruby.c:227
    #12 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c4600001b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4600001b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4600001b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4600001b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4600001b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4600001ba0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==59006==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Jun 5, 2017

Contributor

It appears this was introduced by c041206.

Contributor

clayton-shopify commented Jun 5, 2017

It appears this was introduced by c041206.

@matz matz closed this in edb5b36 Jun 13, 2017

matz added a commit that referenced this issue Jun 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment