The following input demonstrates a crash:
def aa(n)
if n >= 0
instance_exec(x)
end
rescue
aa (n-1)
end
n = Fiber.new{}.dup
GC.start
n.initialize {break}
aa(100)
n.resumeASAN report:
ASAN:DEADLYSIGNAL
=================================================================
==76585==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0001097429e3 bp 0x7fff566c1b20 sp 0x7fff566c16a0 T0)
==76585==The signal is caused by a READ memory access.
==76585==Hint: address points to the zero page.
#0 0x1097429e2 in fiber_switch fiber.c:215
#1 0x1097456b5 in fiber_resume fiber.c:259
#2 0x1096a339e in mrb_vm_exec vm.c:1396
#3 0x1096979a4 in mrb_vm_run vm.c:879
#4 0x1096cd47f in mrb_top_run vm.c:2884
#5 0x1097a622d in mrb_load_exec parse.y:5823
#6 0x1097a7045 in mrb_load_file_cxt parse.y:5832
#7 0x1095366f3 in main mruby.c:227
#8 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
==76585==Register values:
rax = 0x0000000000000010 rbx = 0x00007fff566c1760 rcx = 0x0000000000000018 rdx = 0x0000000000000010
rdi = 0x0000100000000000 rsi = 0x0000100000000000 rbp = 0x00007fff566c1b20 rsp = 0x00007fff566c16a0
r8 = 0x0000100000000000 r9 = 0x3c3981173a920084 r10 = 0x00007fff566c16e0 r11 = 0x00001fffeacd82dc
r12 = 0xf2f20000f1f1f1f1 r13 = 0x00001fffeacd9230 r14 = 0x0000100000000000 r15 = 0x00007fff566c1740
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV fiber.c:215 in fiber_switch
==76585==ABORTING
Abort trap: 6
This issue was reported by https://hackerone.com/ahihi
The following input demonstrates a crash:
ASAN report:
This issue was reported by https://hackerone.com/ahihi