New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in kh_put_iv #3702

Closed
clayton-shopify opened this Issue Jun 14, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 14, 2017

The following input demonstrates a crash:

def a
  yield
rescue *nil
ensure
 GC.start { return }
end

a { foo a }

ASAN report:

==2933==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001058c063f bp 0x7fff5a474790 sp 0x7fff5a474530 T0)
==2933==The signal is caused by a READ memory access.
==2933==Hint: address points to the zero page.
    #0 0x1058c063e in kh_put_iv (mruby:x86_64+0x10013f63e)
    #1 0x1058c3e7e in iv_put (mruby:x86_64+0x100142e7e)
    #2 0x1058c3749 in mrb_obj_iv_set (mruby:x86_64+0x100142749)
    #3 0x1057e4d6c in exc_debug_info (mruby:x86_64+0x100063d6c)
    #4 0x1057e447c in mrb_exc_set (mruby:x86_64+0x10006347c)
    #5 0x1058ebe60 in mrb_vm_exec (mruby:x86_64+0x10016ae60)
    #6 0x1058e4234 in mrb_vm_run (mruby:x86_64+0x100163234)
    #7 0x105918d5f in mrb_top_run (mruby:x86_64+0x100197d5f)
    #8 0x1059eb38d in mrb_load_exec (mruby:x86_64+0x10026a38d)
    #9 0x1059ec1a5 in mrb_load_file_cxt (mruby:x86_64+0x10026b1a5)
    #10 0x105782e53 in main mruby.c:227
    #11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==2933==Register values:
rax = 0x0000000105a2c9e0  rbx = 0x00007fff5a4747e0  rcx = 0x0000000000000000  rdx = 0x0000100000000000
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff5a474790  rsp = 0x00007fff5a474530
 r8 = 0x0000100000000000   r9 = 0x000062f000001a00  r10 = 0x0000000106905a48  r11 = 0xc5a26ad41d7c003a
r12 = 0x0000100000000000  r13 = 0x00007fff5a47c1a0  r14 = 0xf2f20000f1f1f1f1  r15 = 0x00001fffeb48f834
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x10013f63e) in kh_put_iv
==2933==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment