Skip to content

Heap use-after-free in mrb_str_format #3722

New issue
New issue
Closed
Closed
Heap use-after-free in mrb_str_format#3722
@clayton-shopify

Description

@clayton-shopify
clayton-shopify
opened on Jun 26, 2017

The following input demonstrates a crash:

def method_missing(*)
  sprintf("%c%s", 0, 0)
  0[]
end

foo

ASAN report:

==94995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001d440 at pc 0x00010739a2f8 bp 0x7fff58c6da90 sp 0x7fff58c6d240
READ of size 16 at 0x61d00001d440 thread T0
    #0 0x10739a2f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x107127227 in mrb_str_format sprintf.c:735
    #2 0x107120389 in mrb_f_sprintf sprintf.c:516
    #3 0x1070f42be in mrb_vm_exec vm.c:1396
    #4 0x1070e88c4 in mrb_vm_run vm.c:879
    #5 0x10711e39f in mrb_top_run vm.c:2884
    #6 0x1071f74fd in mrb_load_exec parse.y:5823
    #7 0x1071f5bb5 in mrb_load_file_cxt parse.y:5832
    #8 0x106f87523 in main mruby.c:227
    #9 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d440 is located 1984 bytes inside of 2048-byte region [0x61d00001cc80,0x61d00001d480)
freed by thread T0 here:
    #0 0x1073a3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10707c1d5 in mrb_default_allocf state.c:60
    #2 0x106ffcf38 in mrb_realloc_simple gc.c:204
    #3 0x106ffd68e in mrb_realloc gc.c:218
    #4 0x10711ee2f in stack_extend_alloc vm.c:165
    #5 0x1070dfa1f in stack_extend vm.c:186
    #6 0x1070dd230 in mrb_funcall_with_block vm.c:427
    #7 0x1070dac77 in mrb_funcall_argv vm.c:471
    #8 0x1070da6ee in mrb_funcall vm.c:355
    #9 0x107125625 in mrb_str_format sprintf.c:709
    #10 0x107120389 in mrb_f_sprintf sprintf.c:516
    #11 0x1070f42be in mrb_vm_exec vm.c:1396
    #12 0x1070e88c4 in mrb_vm_run vm.c:879
    #13 0x10711e39f in mrb_top_run vm.c:2884
    #14 0x1071f74fd in mrb_load_exec parse.y:5823
    #15 0x1071f5bb5 in mrb_load_file_cxt parse.y:5832
    #16 0x106f87523 in main mruby.c:227
    #17 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x1073a3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10707c1d5 in mrb_default_allocf state.c:60
    #2 0x106ffcf38 in mrb_realloc_simple gc.c:204
    #3 0x106ffd68e in mrb_realloc gc.c:218
    #4 0x106ffe123 in mrb_malloc gc.c:240
    #5 0x106ffe1bd in mrb_calloc gc.c:258
    #6 0x1070de992 in stack_init vm.c:105
    #7 0x1070dbb50 in mrb_funcall_with_block vm.c:392
    #8 0x1070db48a in mrb_funcall_with_block vm.c:370
    #9 0x1070dac77 in mrb_funcall_argv vm.c:471
    #10 0x106fc3955 in mrb_obj_new class.c:1445
    #11 0x106fe856d in mrb_exc_new_str error.c:32
    #12 0x106ff1209 in mrb_init_exception error.c:493
    #13 0x107021334 in mrb_init_core init.c:42
    #14 0x10707c16e in mrb_open_core state.c:47
    #15 0x10707c33c in mrb_open_allocf state.c:107
    #16 0x10707c307 in mrb_open state.c:99
    #17 0x106f86435 in main mruby.c:171
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3a00003a80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c3a00003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==94995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ilsani

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions