/mruby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_GETCONST #3693

Closed
clayton-shopify opened this Issue Jun 5, 2017 · 1 comment

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@clayton-shopify
@clayton-shopify
Contributor

clayton-shopify commented Jun 5, 2017

The following input demonstrates a crash:

def one
  too { yield }
endbegin;1;rescue => e1;e1;end;

def too
  yield
ensure
  one { break }
end

one

ASAN report:

==59106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e000017470 at pc 0x00010b6ea4ca bp 0x7fff54085f90 sp 0x7fff54085740
WRITE of size 16 at 0x62e000017470 thread T0
    #0 0x10b6ea4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x10b443ac6 in mrb_vm_exec (mruby:x86_64+0x100167ac6)
    #2 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #3 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #4 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #5 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #6 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #7 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #8 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #9 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #10 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #11 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #12 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #13 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #14 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #15 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #16 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #17 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #18 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #19 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #20 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #21 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #22 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #23 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #24 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #25 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #26 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #27 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #28 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #29 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #30 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #31 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #32 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #33 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #34 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #35 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #36 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #37 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #38 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #39 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #40 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #41 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #42 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #43 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #44 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #45 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #46 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #47 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #48 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #49 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #50 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #51 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #52 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #53 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #54 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #55 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #56 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #57 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #58 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #59 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #60 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #61 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #62 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #63 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #64 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #65 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #66 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #67 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #68 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #69 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #70 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #71 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #72 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #73 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #74 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #75 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #76 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #77 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #78 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #79 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #80 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #81 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #82 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #83 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #84 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #85 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #86 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #87 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #88 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #89 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #90 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #91 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #92 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #93 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #94 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #95 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #96 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #97 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #98 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #99 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #100 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #101 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #102 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #103 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #104 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #105 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #106 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #107 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #108 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #109 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #110 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #111 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #112 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #113 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #114 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #115 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #116 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #117 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #118 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #119 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #120 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #121 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #122 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #123 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #124 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #125 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #126 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #127 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #128 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #129 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #130 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #131 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #132 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #133 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #134 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #135 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #136 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #137 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #138 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #139 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #140 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #141 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #142 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #143 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #144 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #145 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #146 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #147 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #148 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #149 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #150 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #151 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #152 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #153 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #154 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #155 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #156 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #157 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #158 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #159 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #160 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #161 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #162 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #163 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #164 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #165 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #166 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #167 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #168 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #169 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #170 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #171 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #172 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #173 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #174 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #175 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #176 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #177 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #178 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #179 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #180 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #181 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #182 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #183 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #184 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #185 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #186 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #187 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #188 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #189 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #190 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #191 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #192 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #193 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #194 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #195 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #196 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #197 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #198 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #199 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #200 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #201 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #202 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #203 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #204 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #205 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #206 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #207 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #208 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #209 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #210 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #211 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #212 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #213 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #214 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #215 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #216 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #217 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #218 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #219 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #220 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #221 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #222 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #223 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #224 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #225 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #226 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #227 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #228 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #229 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #230 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #231 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #232 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #233 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #234 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #235 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #236 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #237 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #238 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #239 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #240 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #241 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #242 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #243 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #244 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #245 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #246 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #247 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #248 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #249 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #250 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #251 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #252 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #253 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #254 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #255 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)

0x62e000017470 is located 0 bytes to the right of 45168-byte region [0x62e00000c400,0x62e000017470)
allocated by thread T0 here:
    #0 0x10b6f3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10b3d2be5 in mrb_default_allocf (mruby:x86_64+0x1000f6be5)
    #2 0x10b353958 in mrb_realloc_simple gc.c:203
    #3 0x10b3540ae in mrb_realloc gc.c:217
    #4 0x10b47489f in stack_extend_alloc (mruby:x86_64+0x10019889f)
    #5 0x10b43642f in stack_extend (mruby:x86_64+0x10015a42f)
    #6 0x10b43f184 in mrb_vm_run (mruby:x86_64+0x100163184)
    #7 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #8 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #9 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #10 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #11 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #12 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #13 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #14 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #15 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #16 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #17 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #18 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #19 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #20 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #21 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #22 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #23 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #24 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #25 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)
    #26 0x10b43f2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #27 0x10b43716e in mrb_run (mruby:x86_64+0x10015b16e)
    #28 0x10b4712c9 in ecall (mruby:x86_64+0x1001952c9)
    #29 0x10b45861b in mrb_vm_exec (mruby:x86_64+0x10017c61b)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c5c00002e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c00002e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c00002e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c00002e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c00002e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c5c00002e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x1c5c00002e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00002ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00002eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00002ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00002ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==59106==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz
@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Jun 5, 2017

Contributor

It seems this issue was introduced by c53747d.
Contributor

clayton-shopify commented Jun 5, 2017

It seems this issue was introduced by c53747d.

@matz matz closed this in 988e2ce Jun 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment