New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in ary_fill_with_nil (regression) #3716

Closed
clayton-shopify opened this Issue Jun 19, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Jun 19, 2017

The commit aa8121c reintroduced #3353. The same input now causes a crash again:

(Array.new)[0x7fffffff] = 1

ASAN report:

==58934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000a1a0 at pc 0x000103e0e4ca bp 0x7fff5c1fd630 sp 0x7fff5c1fcde0
WRITE of size 16 at 0x60600000a1a0 thread T0
    #0 0x103e0e4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x1039ff145 in ary_fill_with_nil array.c:104
    #2 0x103a03409 in mrb_ary_set array.c:576
    #3 0x103a0de93 in mrb_ary_aset array.c:825
    #4 0x103b670ad in mrb_vm_exec (mruby:x86_64+0x10016f0ad)
    #5 0x103b5ba74 in mrb_vm_run (mruby:x86_64+0x100163a74)
    #6 0x103b910ff in mrb_top_run (mruby:x86_64+0x1001990ff)
    #7 0x103c6926d in mrb_load_exec (mruby:x86_64+0x10027126d)
    #8 0x103c6a085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
    #9 0x1039fa933 in main mruby.c:227
    #10 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x60600000a1a0 is located 0 bytes to the right of 64-byte region [0x60600000a160,0x60600000a1a0)
allocated by thread T0 here:
    #0 0x103e17520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x103aef385 in mrb_default_allocf (mruby:x86_64+0x1000f7385)
    #2 0x103a70348 in mrb_realloc_simple gc.c:204
    #3 0x103a70a9e in mrb_realloc gc.c:218
    #4 0x1039feebb in ary_expand_capa array.c:193
    #5 0x103a032c0 in mrb_ary_set array.c:575
    #6 0x103a0de93 in mrb_ary_aset array.c:825
    #7 0x103b670ad in mrb_vm_exec (mruby:x86_64+0x10016f0ad)
    #8 0x103b5ba74 in mrb_vm_run (mruby:x86_64+0x100163a74)
    #9 0x103b910ff in mrb_top_run (mruby:x86_64+0x1001990ff)
    #10 0x103c6926d in mrb_load_exec (mruby:x86_64+0x10027126d)
    #11 0x103c6a085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
    #12 0x1039fa933 in main mruby.c:227
    #13 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0c000013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000013f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00001410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00001420: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x1c0c00001430: 00 00 00 00[fa]fa fa fa fd fd fd fd fd fd fd fd
  0x1c0c00001440: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x1c0c00001450: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x1c0c00001460: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0c00001470: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x1c0c00001480: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==58934==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Jun 20, 2017

Member

Sorry for regression. Fixed by bf1cb87

Member

matz commented Jun 20, 2017

Sorry for regression. Fixed by bf1cb87

@matz matz closed this Jun 20, 2017

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment