New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_obj_iv_get #3694

Closed
clayton-shopify opened this Issue Jun 5, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 5, 2017

The following input demonstrates a crash:

def c
yield
ensure
h {
    j = a = c = x = Array.new
    r = j
    1.times do end
    u = u.to_s
}

f
end


def j
    yield
    ensure
    def i
    end
end

def h
yield
end

def f
yield
ensure
p j
end

lambda{ c{ c{ c{ return proc{}}}}}.call

It seems this problem was introduced by 7ff90b5.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==71792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010039c497 bp 0x7fff5f991190 sp 0x7fff5f991020 T0)
==71792==The signal is caused by a READ memory access.
==71792==Hint: address points to the zero page.
    #0 0x10039c496 in mrb_obj_iv_get (mruby:x86_64+0x100141496)
    #1 0x10029acfc in mrb_class_path (mruby:x86_64+0x10003fcfc)
    #2 0x10029c53f in mrb_class_name (mruby:x86_64+0x10004153f)
    #3 0x10029d022 in mrb_obj_classname (mruby:x86_64+0x100042022)
    #4 0x10033816a in mrb_any_to_s (mruby:x86_64+0x1000dd16a)
    #5 0x100300d9f in mrb_method_missing (mruby:x86_64+0x1000a5d9f)
    #6 0x1003c8a2a in mrb_vm_exec (mruby:x86_64+0x10016da2a)
    #7 0x1003be2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #8 0x1003b616e in mrb_run (mruby:x86_64+0x10015b16e)
    #9 0x1003f02c9 in ecall (mruby:x86_64+0x1001952c9)
    #10 0x1003ee203 in mrb_vm_exec (mruby:x86_64+0x100193203)
    #11 0x1003be2e6 in mrb_vm_run (mruby:x86_64+0x1001632e6)
    #12 0x1003f2e0f in mrb_top_run (mruby:x86_64+0x100197e0f)
    #13 0x1004c59d5 in mrb_load_exec (mruby:x86_64+0x10026a9d5)
    #14 0x1004c6325 in mrb_load_file_cxt (mruby:x86_64+0x10026b325)
    #15 0x10025d5b6 in main mruby.c:227
    #16 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==71792==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff5f991080  rcx = 0x000061400000a440  rdx = 0x00001fffebf32204
rdi = 0x00007fff5f991040  rsi = 0x0000000000000000  rbp = 0x00007fff5f991190  rsp = 0x00007fff5f991020
 r8 = 0x00007fff5f991060   r9 = 0x00000000000002a8  r10 = 0x0000000000000018  r11 = 0x0000100000000003
r12 = 0x00007fff5f9911e0  r13 = 0x00007fff5f991200  r14 = 0x0000100000000000  r15 = 0x00007fff5f9911c0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x100141496) in mrb_obj_iv_get
==71792==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in b979226 Jun 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment