New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash due to invalid read in mrb_obj_alloc #3712

Closed
clayton-shopify opened this Issue Jun 19, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Jun 19, 2017

The following input demonstrates a crash:

"1".upto("10000") {}

It appears the problem was introduced in e96f254.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==49777==ERROR: AddressSanitizer: SEGV on unknown address 0x63003235354a (pc 0x00010c6f97a0 bp 0x7fff535778b0 sp 0x7fff53577660 T0)
    #0 0x10c6f979f in mrb_obj_alloc gc.c:518
    #1 0x10c777b1c in str_new string.c:59
    #2 0x10c77791f in mrb_str_new string.c:193
    #3 0x10c86420c in mrb_str_upto (mruby:x86_64+0x1001e720c)
    #4 0x10c7ec04e in mrb_vm_exec vm.c:1396
    #5 0x10c7e0654 in mrb_vm_run vm.c:879
    #6 0x10c8160ff in mrb_top_run vm.c:2883
    #7 0x10c8ee26d in mrb_load_exec parse.y:5823
    #8 0x10c8ef085 in mrb_load_file_cxt parse.y:5832
    #9 0x10c67f3a3 in main mruby.c:227
    #10 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==49777==Register values:
rax = 0x000063003235354a  rbx = 0x00007fff535776a0  rcx = 0x000063003235354a  rdx = 0x00001c600646a6a9
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff535778b0  rsp = 0x00007fff53577660
 r8 = 0x0000000000000010   r9 = 0x000061400000a500  r10 = 0x0000000000000004  r11 = 0x000000010c921ce4
r12 = 0x00007fff53577b80  r13 = 0x00007fff53577ba0  r14 = 0x00007fff53577b40  r15 = 0x00007fff53577b60
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gc.c:518 in mrb_obj_alloc
==49777==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

@Asmod4n

This comment has been minimized.

Show comment
Hide comment
@Asmod4n

Asmod4n Jun 19, 2017

Contributor

Got a fix, PR incoming.

Contributor

Asmod4n commented Jun 19, 2017

Got a fix, PR incoming.

Asmod4n added a commit to Asmod4n/mruby that referenced this issue Jun 19, 2017

Save gc_arena after buffer got allocated
Latest fix was freeing the buffer while it was still in use.
Fixes #3712

@matz matz closed this in #3713 Jun 20, 2017

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

tsahara added a commit to iij/mruby that referenced this issue Feb 13, 2018

Save gc_arena after buffer got allocated
Latest fix was freeing the buffer while it was still in use.
Fixes #3712
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment