Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_ARGARY #3723

Closed
clayton-shopify opened this issue Jun 28, 2017 · 0 comments
Closed

Heap buffer overflow in OP_ARGARY #3723

clayton-shopify opened this issue Jun 28, 2017 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

The following input demonstrates a crash:

module A module A
ensure
  module A module A module A module A
  ensure
    module A module A module A module A module A module A
      a
    ensure
      1.times do
        super
      end
    end end end end end end
  end end end end
end end

This input is very similar to the one in #3610 and #3501.

ASAN report:

==98382==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001dfc0 at pc 0x000107cc12f8 bp 0x7fff58331a90 sp 0x7fff58331240
READ of size 16 at 0x60200001dfc0 thread T0
    #0 0x107cc12f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x107a20b28 in mrb_vm_exec vm.c:1716
    #2 0x107a0da14 in mrb_vm_run vm.c:879
    #3 0x107a058ae in mrb_run vm.c:2869
    #4 0x107a406a0 in ecall vm.c:328
    #5 0x107a242ab in mrb_vm_exec vm.c:1899
    #6 0x107a0da14 in mrb_vm_run vm.c:879
    #7 0x107a058ae in mrb_run vm.c:2869
    #8 0x107a406a0 in ecall vm.c:328
    #9 0x107a16aeb in mrb_vm_exec vm.c:1285
    #10 0x107a0da14 in mrb_vm_run vm.c:879
    #11 0x107a058ae in mrb_run vm.c:2869
    #12 0x107a406a0 in ecall vm.c:328
    #13 0x107a16aeb in mrb_vm_exec vm.c:1285
    #14 0x107a0da14 in mrb_vm_run vm.c:879
    #15 0x107a434ef in mrb_top_run vm.c:2884
    #16 0x107b1c2f8 in mrb_load_exec parse.y:5824
    #17 0x107b1d125 in mrb_load_file_cxt parse.y:5833
    #18 0x1078ac693 in main mruby.c:227
    #19 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x60200001dfc0 is located 0 bytes to the right of 16-byte region [0x60200001dfb0,0x60200001dfc0)
allocated by thread T0 here:
    #0 0x107cca520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1079a1325 in mrb_default_allocf state.c:60
    #2 0x107922318 in mrb_realloc_simple gc.c:204
    #3 0x107922a6e in mrb_realloc gc.c:218
    #4 0x107923503 in mrb_malloc gc.c:240
    #5 0x1079ff022 in mrb_env_unshare vm.c:274
    #6 0x107a035b2 in cipop vm.c:291
    #7 0x107a236e3 in mrb_vm_exec vm.c:1867
    #8 0x107a0da14 in mrb_vm_run vm.c:879
    #9 0x107a058ae in mrb_run vm.c:2869
    #10 0x107a406a0 in ecall vm.c:328
    #11 0x107a16aeb in mrb_vm_exec vm.c:1285
    #12 0x107a0da14 in mrb_vm_run vm.c:879
    #13 0x107a058ae in mrb_run vm.c:2869
    #14 0x107a406a0 in ecall vm.c:328
    #15 0x107a16aeb in mrb_vm_exec vm.c:1285
    #16 0x107a0da14 in mrb_vm_run vm.c:879
    #17 0x107a434ef in mrb_top_run vm.c:2884
    #18 0x107b1c2f8 in mrb_load_exec parse.y:5824
    #19 0x107b1d125 in mrb_load_file_cxt parse.y:5833
    #20 0x1078ac693 in main mruby.c:227
    #21 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0400003ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400003bf0: fa fa fa fa fa fa 00 00[fa]fa 00 06 fa fa 00 fa
  0x1c0400003c00: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa 00 fa
  0x1c0400003c10: fa fa 00 00 fa fa 00 06 fa fa 00 fa fa fa 00 fa
  0x1c0400003c20: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 00
  0x1c0400003c30: fa fa 00 06 fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x1c0400003c40: fa fa 00 fa fa fa 00 00 fa fa 00 06 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==98382==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/tigadiz

@matz matz closed this as completed in 7d99830 Jul 1, 2017
@matz matz mentioned this issue Jul 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant