Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in mark_context_stack #3711

Closed
clayton-shopify opened this issue Jun 19, 2017 · 1 comment
Closed

Heap buffer overflow in mark_context_stack #3711

clayton-shopify opened this issue Jun 19, 2017 · 1 comment

Comments

@clayton-shopify
Copy link
Contributor

The following input demonstrates a crash:

def aa(n)
  if n >= 0
    instance_exec(x)
  end
rescue
    aa (n-1)
end

def x
yield
ensure
format 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
end


GC.start

g = Fiber.new do
x {yield}
end
begin
  g.resume
rescue
end
aa(100)

ASAN report:

==44834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00000ec80 at pc 0x00010e8e72f8 bp 0x7fff517134d0 sp 0x7fff51712c80
READ of size 16 at 0x61f00000ec80 thread T0
    #0 0x10e8e72f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x10e55884c in mark_context_stack gc.c:563
    #2 0x10e557d0f in mark_context gc.c:583
    #3 0x10e559be3 in gc_mark_children gc.c:670
    #4 0x10e558bdf in gc_gray_mark gc.c:894
    #5 0x10e556bf6 in incremental_marking_phase gc.c:989
    #6 0x10e555f23 in incremental_gc gc.c:1102
    #7 0x10e551a66 in incremental_gc_until gc.c:1127
    #8 0x10e550d64 in mrb_incremental_gc gc.c:1178
    #9 0x10e550678 in mrb_obj_alloc gc.c:511
    #10 0x10e5ceb1c in str_new string.c:59
    #11 0x10e5ce91f in mrb_str_new string.c:193
    #12 0x10e596455 in mrb_fixnum_to_str numeric.c:1208
    #13 0x10e59e7a5 in fix_to_s numeric.c:1233
    #14 0x10e62ca32 in mrb_funcall_with_block vm.c:454
    #15 0x10e629a07 in mrb_funcall_argv vm.c:471
    #16 0x10e5ae4fe in convert_type object.c:320
    #17 0x10e5aecfb in mrb_convert_type object.c:342
    #18 0x10e5d4421 in mrb_str_to_str string.c:1038
    #19 0x10e66fc8b in mrb_str_format sprintf.c:555
    #20 0x10e66f0e9 in mrb_f_sprintf sprintf.c:516
    #21 0x10e64304e in mrb_vm_exec vm.c:1396
    #22 0x10e637654 in mrb_vm_run vm.c:879
    #23 0x10e62f4ee in mrb_run vm.c:2868
    #24 0x10e66a2b0 in ecall vm.c:328
    #25 0x10e6513dd in mrb_vm_exec vm.c:2034
    #26 0x10e637654 in mrb_vm_run vm.c:879
    #27 0x10e66d0ff in mrb_top_run vm.c:2883
    #28 0x10e74526d in mrb_load_exec parse.y:5823
    #29 0x10e746085 in mrb_load_file_cxt parse.y:5832
    #30 0x10e4d63a3 in main mruby.c:227
    #31 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61f00000ec80 is located 0 bytes to the right of 3072-byte region [0x61f00000e080,0x61f00000ec80)
allocated by thread T0 here:
    #0 0x10e8f0520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10e5caf65 in mrb_default_allocf state.c:60
    #2 0x10e54bdb8 in mrb_realloc_simple gc.c:204
    #3 0x10e54c50e in mrb_realloc gc.c:218
    #4 0x10e66db8f in stack_extend_alloc vm.c:165
    #5 0x10e62e7af in stack_extend vm.c:186
    #6 0x10e637504 in mrb_vm_run vm.c:876
    #7 0x10e62f4ee in mrb_run vm.c:2868
    #8 0x10e66a2b0 in ecall vm.c:328
    #9 0x10e64de5e in mrb_vm_exec vm.c:1898
    #10 0x10e637654 in mrb_vm_run vm.c:879
    #11 0x10e66d0ff in mrb_top_run vm.c:2883
    #12 0x10e74526d in mrb_load_exec parse.y:5823
    #13 0x10e746085 in mrb_load_file_cxt parse.y:5832
    #14 0x10e4d63a3 in main mruby.c:227
    #15 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3e00001d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3e00001d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3e00001d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3e00001d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3e00001d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3e00001d90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3e00001da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3e00001db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3e00001dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3e00001dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3e00001de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==44834==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

miura1729 added a commit to miura1729/mruby that referenced this issue Jun 20, 2017
matz added a commit that referenced this issue Jun 20, 2017
@matz
Copy link
Member

matz commented Jun 20, 2017

closed by #3718

@matz matz closed this as completed Jun 20, 2017
@matz matz mentioned this issue Jul 4, 2017
matz added a commit that referenced this issue Nov 29, 2017
matz added a commit that referenced this issue Nov 29, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants