Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in mrb_obj_iv_get #3715

Closed
clayton-shopify opened this issue Jun 19, 2017 · 1 comment
Closed

Null pointer dereference in mrb_obj_iv_get #3715

clayton-shopify opened this issue Jun 19, 2017 · 1 comment

Comments

@clayton-shopify
Copy link
Contributor

clayton-shopify commented Jun 19, 2017

The following input demonstrates a crash:

b = []
c = (0..0)
d = 0
e = ""
begin
  z = x
rescue
end
1.instance_exec {
  begin
    break
    Proc.new{}
  ensure
    def l
    end
  end
}
z.inspect

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==54237==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000104f2c817 bp 0x7fff5ae09890 sp 0x7fff5ae09720 T0)
==54237==The signal is caused by a READ memory access.
==54237==Hint: address points to the zero page.
    #0 0x104f2c816 in mrb_obj_iv_get (mruby:x86_64+0x100141816)
    #1 0x104e2b13c in mrb_class_path (mruby:x86_64+0x10004013c)
    #2 0x104e2c97f in mrb_class_name (mruby:x86_64+0x10004197f)
    #3 0x104e2d462 in mrb_obj_classname (mruby:x86_64+0x100042462)
    #4 0x104ec84ea in mrb_any_to_s (mruby:x86_64+0x1000dd4ea)
    #5 0x104e9111f in mrb_method_missing (mruby:x86_64+0x1000a611f)
    #6 0x104f5910b in mrb_vm_exec (mruby:x86_64+0x10016e10b)
    #7 0x104f4e654 in mrb_vm_run (mruby:x86_64+0x100163654)
    #8 0x104f840ff in mrb_top_run (mruby:x86_64+0x1001990ff)
    #9 0x10505c26d in mrb_load_exec (mruby:x86_64+0x10027126d)
    #10 0x10505d085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
    #11 0x104ded3a3 in main mruby.c:227
    #12 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==54237==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff5ae09780  rcx = 0x000061400000a440  rdx = 0x00001fffeb5c12e4
rdi = 0x00007fff5ae09740  rsi = 0x0000000000000000  rbp = 0x00007fff5ae09890  rsp = 0x00007fff5ae09720
 r8 = 0x00007fff5ae09760   r9 = 0x00000000000002a7  r10 = 0x0000000000000018  r11 = 0x0000100000000003
r12 = 0x00007fff5ae098e0  r13 = 0x00007fff5ae09900  r14 = 0x0000100000000000  r15 = 0x00007fff5ae098c0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x100141816) in mrb_obj_iv_get
==54237==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi
@Asmod4n
Copy link
Contributor

Asmod4n commented Jun 19, 2017
edited

This is a dupe of #3708, full trace is available there.

@Asmod4n Asmod4n mentioned this issue Jun 19, 2017
Closed
@matz matz closed this as completed in d0a7e01 Jun 20, 2017
@matz matz mentioned this issue Jun 20, 2017
Closed
@matz matz mentioned this issue Jul 4, 2017
Closed
@clayton-shopify clayton-shopify mentioned this issue Oct 27, 2017
Closed
matz added a commit that referenced this issue Oct 28, 2017
@matz
Should clear ensure stack at OP_RETURN break; #3715
6316e0c 
This is a resurrection of d0a7e01, which is accidentally
removed by 93f5f22; Fix #3715
tsahara pushed a commit to iij/mruby that referenced this issue Jun 11, 2018
@matz @tsahara
Should call ecall() before callinfo adjustment; fix mruby#3715
a2adb25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Asmod4n @clayton-shopify