New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in OP_RETURN #3724

Closed
clayton-shopify opened this Issue Jun 28, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jun 28, 2017

The following input demonstrates a crash:

def a
  b { yield }
end

def b
  Fiber.new { yield }.resume
ensure
  a { break }
end

a

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==98907==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010ee28fc7 bp 0x7fff50f4a3d0 sp 0x7fff50f421a0 T0)
==98907==The signal is caused by a READ memory access.
==98907==Hint: address points to the zero page.
    #0 0x10ee28fc6 in mrb_vm_exec vm.c:2055
    #1 0x10ee0ea14 in mrb_vm_run vm.c:879
    #2 0x10ee068ae in mrb_run vm.c:2869
    #3 0x10ee416a0 in ecall vm.c:328
    #4 0x10ee252ab in mrb_vm_exec vm.c:1899
    #5 0x10ee0ea14 in mrb_vm_run vm.c:879
    #6 0x10ee444ef in mrb_top_run vm.c:2884
    #7 0x10ef1d2f8 in mrb_load_exec parse.y:5824
    #8 0x10ef1e125 in mrb_load_file_cxt parse.y:5833
    #9 0x10ecad693 in main mruby.c:227
    #10 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==98907==Register values:
rax = 0x0000000000000018  rbx = 0xf2f20000f2f2f200  rcx = 0x0000000000000018  rdx = 0x0000100000000003
rdi = 0x000061400000a460  rsi = 0x0000100000000000  rbp = 0x00007fff50f4a3d0  rsp = 0x00007fff50f421a0
 r8 = 0x0000100000000000   r9 = 0xc1d49033fac10000  r10 = 0x00007fff50f41b20  r11 = 0x00001e6f50f3b210
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffea1e92b8  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:2055 in mrb_vm_exec
==98907==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/tigadiz

@matz matz closed this in 9b8956c Jul 1, 2017

@matz matz referenced this issue Jul 4, 2017

Closed

1.3.0 Changes #3140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment