New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in fiber_switch #3705

Closed
clayton-shopify opened this Issue Jun 14, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 14, 2017

The following input demonstrates a crash:

f = Fiber.new do
end
GC.start

def a(n)
  if n >= 0
    instance_exec(x)
  end
rescue
    a (n-1)
end
a (10)
f.initialize{break}
a (100)
f.resume

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==3022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010cc00ab3 bp 0x7fff531fbcc0 sp 0x7fff531fb800 T0)
==3022==The signal is caused by a READ memory access.
==3022==Hint: address points to the zero page.
    #0 0x10cc00ab2 in fiber_switch (mruby:x86_64+0x100206ab2)
    #1 0x10cc03705 in fiber_resume (mruby:x86_64+0x100209705)
    #2 0x10cb685eb in mrb_vm_exec (mruby:x86_64+0x10016e5eb)
    #3 0x10cb5d234 in mrb_vm_run (mruby:x86_64+0x100163234)
    #4 0x10cb91d5f in mrb_top_run (mruby:x86_64+0x100197d5f)
    #5 0x10cc6438d in mrb_load_exec (mruby:x86_64+0x10026a38d)
    #6 0x10cc651a5 in mrb_load_file_cxt (mruby:x86_64+0x10026b1a5)
    #7 0x10c9fbe53 in main mruby.c:227
    #8 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==3022==Register values:
rax = 0x0000000000000010  rbx = 0x00007fff531fb8c0  rcx = 0x0000000000000018  rdx = 0x0000000000000010
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff531fbcc0  rsp = 0x00007fff531fb800
 r8 = 0x0000100000000000   r9 = 0x7cea5b12a4c0003f  r10 = 0x00007fff531fb840  r11 = 0x00001fffea63f708
r12 = 0x0000100000000000  r13 = 0x00007fff532031a0  r14 = 0x0000100000000000  r15 = 0x00007fff531fb8a0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x100206ab2) in fiber_switch
==3022==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in 47bd44f Jun 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment