New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in mrb_str_format #3722

Closed
clayton-shopify opened this Issue Jun 26, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 26, 2017

The following input demonstrates a crash:

def method_missing(*)
  sprintf("%c%s", 0, 0)
  0[]
end

foo

ASAN report:

==94995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001d440 at pc 0x00010739a2f8 bp 0x7fff58c6da90 sp 0x7fff58c6d240
READ of size 16 at 0x61d00001d440 thread T0
    #0 0x10739a2f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x107127227 in mrb_str_format sprintf.c:735
    #2 0x107120389 in mrb_f_sprintf sprintf.c:516
    #3 0x1070f42be in mrb_vm_exec vm.c:1396
    #4 0x1070e88c4 in mrb_vm_run vm.c:879
    #5 0x10711e39f in mrb_top_run vm.c:2884
    #6 0x1071f74fd in mrb_load_exec parse.y:5823
    #7 0x1071f5bb5 in mrb_load_file_cxt parse.y:5832
    #8 0x106f87523 in main mruby.c:227
    #9 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d440 is located 1984 bytes inside of 2048-byte region [0x61d00001cc80,0x61d00001d480)
freed by thread T0 here:
    #0 0x1073a3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10707c1d5 in mrb_default_allocf state.c:60
    #2 0x106ffcf38 in mrb_realloc_simple gc.c:204
    #3 0x106ffd68e in mrb_realloc gc.c:218
    #4 0x10711ee2f in stack_extend_alloc vm.c:165
    #5 0x1070dfa1f in stack_extend vm.c:186
    #6 0x1070dd230 in mrb_funcall_with_block vm.c:427
    #7 0x1070dac77 in mrb_funcall_argv vm.c:471
    #8 0x1070da6ee in mrb_funcall vm.c:355
    #9 0x107125625 in mrb_str_format sprintf.c:709
    #10 0x107120389 in mrb_f_sprintf sprintf.c:516
    #11 0x1070f42be in mrb_vm_exec vm.c:1396
    #12 0x1070e88c4 in mrb_vm_run vm.c:879
    #13 0x10711e39f in mrb_top_run vm.c:2884
    #14 0x1071f74fd in mrb_load_exec parse.y:5823
    #15 0x1071f5bb5 in mrb_load_file_cxt parse.y:5832
    #16 0x106f87523 in main mruby.c:227
    #17 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x1073a3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10707c1d5 in mrb_default_allocf state.c:60
    #2 0x106ffcf38 in mrb_realloc_simple gc.c:204
    #3 0x106ffd68e in mrb_realloc gc.c:218
    #4 0x106ffe123 in mrb_malloc gc.c:240
    #5 0x106ffe1bd in mrb_calloc gc.c:258
    #6 0x1070de992 in stack_init vm.c:105
    #7 0x1070dbb50 in mrb_funcall_with_block vm.c:392
    #8 0x1070db48a in mrb_funcall_with_block vm.c:370
    #9 0x1070dac77 in mrb_funcall_argv vm.c:471
    #10 0x106fc3955 in mrb_obj_new class.c:1445
    #11 0x106fe856d in mrb_exc_new_str error.c:32
    #12 0x106ff1209 in mrb_init_exception error.c:493
    #13 0x107021334 in mrb_init_core init.c:42
    #14 0x10707c16e in mrb_open_core state.c:47
    #15 0x10707c33c in mrb_open_allocf state.c:107
    #16 0x10707c307 in mrb_open state.c:99
    #17 0x106f86435 in main mruby.c:171
    #18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3a00003a80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c3a00003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==94995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ilsani

@matz matz closed this in 1a3b323 Jun 27, 2017

matz added a commit that referenced this issue Jun 28, 2017

Avoid `mrb_funcall()` unless absolutely necessary; ref #3722
As a result, `#chr` is not called for ch < 0x80, so we need to
update the "invalid chr" test.

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment