New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_obj_iv_get #3704

Closed
clayton-shopify opened this Issue Jun 14, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 14, 2017

The following input demonstrates a crash, when supplied to mirb: 239564.txt
ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==3010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000101c14f27 bp 0x7fff5e1151f0 sp 0x7fff5e115080 T0)
==3010==The signal is caused by a READ memory access.
==3010==Hint: address points to the zero page.
    #0 0x101c14f26 in mrb_obj_iv_get (mirb:x86_64+0x100142f26)
    #1 0x101b1376c in mrb_class_path (mirb:x86_64+0x10004176c)
    #2 0x101b14faf in mrb_class_name (mirb:x86_64+0x100042faf)
    #3 0x101b15a92 in mrb_obj_classname (mirb:x86_64+0x100043a92)
    #4 0x101bb0bfa in mrb_any_to_s (mirb:x86_64+0x1000debfa)
    #5 0x101b7982f in mrb_method_missing (mirb:x86_64+0x1000a782f)
    #6 0x101c411d8 in mrb_vm_exec (mirb:x86_64+0x10016f1d8)
    #7 0x101c36d64 in mrb_vm_run (mirb:x86_64+0x100164d64)
    #8 0x101c2ebfe in mrb_run (mirb:x86_64+0x10015cbfe)
    #9 0x101c2c544 in mrb_funcall_with_block (mirb:x86_64+0x10015a544)
    #10 0x101c29117 in mrb_funcall_argv (mirb:x86_64+0x100157117)
    #11 0x101badc0e in convert_type (mirb:x86_64+0x1000dbc0e)
    #12 0x101bae40b in mrb_convert_type (mirb:x86_64+0x1000dc40b)
    #13 0x101bd3b31 in mrb_str_to_str (mirb:x86_64+0x100101b31)
    #14 0x101c6e41b in mrb_str_format (mirb:x86_64+0x10019c41b)
    #15 0x101c6d879 in mrb_f_sprintf (mirb:x86_64+0x10019b879)
    #16 0x101c4211b in mrb_vm_exec (mirb:x86_64+0x10017011b)
    #17 0x101c36d64 in mrb_vm_run (mirb:x86_64+0x100164d64)
    #18 0x101ad4aa9 in main mirb.c:549
    #19 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==3010==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff5e1150e0  rcx = 0x000061400000a440  rdx = 0x00001fffebc22a10
rdi = 0x00007fff5e1150a0  rsi = 0x0000000000000000  rbp = 0x00007fff5e1151f0  rsp = 0x00007fff5e115080
 r8 = 0x00007fff5e1150c0   r9 = 0x00000000000002aa  r10 = 0x0000000000000018  r11 = 0x0000100000000003
r12 = 0x00007fff5e115240  r13 = 0x00007fff5e115260  r14 = 0x0000100000000000  r15 = 0x00007fff5e115220
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mirb:x86_64+0x100142f26) in mrb_obj_iv_get
==3010==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz matz closed this in 8daabe7 Jun 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment