New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in fiber_switch #3719

Closed
clayton-shopify opened this Issue Jun 20, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 20, 2017

The following input demonstrates a crash:

def aa(n)
  if n >= 0
    instance_exec(x)
  end
rescue
    aa (n-1)
end

n = Fiber.new{}.dup
GC.start
n.initialize {break}
aa(100)
n.resume

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==76585==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0001097429e3 bp 0x7fff566c1b20 sp 0x7fff566c16a0 T0)
==76585==The signal is caused by a READ memory access.
==76585==Hint: address points to the zero page.
    #0 0x1097429e2 in fiber_switch fiber.c:215
    #1 0x1097456b5 in fiber_resume fiber.c:259
    #2 0x1096a339e in mrb_vm_exec vm.c:1396
    #3 0x1096979a4 in mrb_vm_run vm.c:879
    #4 0x1096cd47f in mrb_top_run vm.c:2884
    #5 0x1097a622d in mrb_load_exec parse.y:5823
    #6 0x1097a7045 in mrb_load_file_cxt parse.y:5832
    #7 0x1095366f3 in main mruby.c:227
    #8 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==76585==Register values:
rax = 0x0000000000000010  rbx = 0x00007fff566c1760  rcx = 0x0000000000000018  rdx = 0x0000000000000010
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff566c1b20  rsp = 0x00007fff566c16a0
 r8 = 0x0000100000000000   r9 = 0x3c3981173a920084  r10 = 0x00007fff566c16e0  r11 = 0x00001fffeacd82dc
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeacd9230  r14 = 0x0000100000000000  r15 = 0x00007fff566c1740
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV fiber.c:215 in fiber_switch
==76585==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in e8a4e42 Jun 21, 2017

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment