Skip to content

Heap buffer overflow in kh_get_mt #3717

Closed
Closed
Heap buffer overflow in kh_get_mt#3717
@clayton-shopify

Description

@clayton-shopify
clayton-shopify
opened on Jun 19, 2017

The following input demonstrates a crash:

b = Array({:a => "a", :b => "b"})

def aa(n)
if n >= 0
instance_exec(x)
end
rescue
aa (n-1)
end

x =  GC.interval_ratio= 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
2.times{x.to_s}
b.inspect
aa(142)
y = Class.new.dup  {}
2.times{y.to_s}

It appears this issue was introduced by a893877.

ASAN report:

==67812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000010090 at pc 0x00010e5603bd bp 0x7fff516b9bc0 sp 0x7fff516b9bb8
READ of size 4 at 0x604000010090 thread T0
    #0 0x10e5603bc in kh_get_mt (mruby:x86_64+0x1000243bc)
    #1 0x10e5785d1 in mrb_method_search_vm (mruby:x86_64+0x10003c5d1)
    #2 0x10e6a9a64 in mrb_vm_exec (mruby:x86_64+0x10016da64)
    #3 0x10e69f654 in mrb_vm_run (mruby:x86_64+0x100163654)
    #4 0x10e6d50ff in mrb_top_run (mruby:x86_64+0x1001990ff)
    #5 0x10e7ad26d in mrb_load_exec (mruby:x86_64+0x10027126d)
    #6 0x10e7ae085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
    #7 0x10e53e3a3 in main mruby.c:227
    #8 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

Address 0x604000010090 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x1000243bc) in kh_get_mt
Shadow bytes around the buggy address:
  0x1c0800001fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0800002010: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67812==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions