Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in mrb_gc_mark #3829

Closed
clayton-shopify opened this Issue Oct 13, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Copy link
Contributor

commented Oct 13, 2017

The following input demonstrates a crash, when supplied to mirb: 274561.txt

Note that this only works in mirb, not mruby.

It appears that the crash began in 7edbe42.

ASAN report:

==90704==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000081110 at pc 0x00010e294adf bp 0x7fff519e6320 sp 0x7fff519e6318
READ of size 4 at 0x604000081110 thread T0
    #0 0x10e294ade in mrb_gc_mark gc.c:727
    #1 0x10e29d5c7 in gc_mark_children gc.c:703
    #2 0x10e29bd3f in gc_gray_mark gc.c:913
    #3 0x10e299cb6 in incremental_marking_phase gc.c:1008
    #4 0x10e298f84 in incremental_gc gc.c:1121
    #5 0x10e294d26 in incremental_gc_until gc.c:1146
    #6 0x10e28ed64 in mrb_full_gc gc.c:1246
    #7 0x10e296958 in gc_start gc.c:1322
    #8 0x10e38861a in mrb_vm_exec (mirb:x86_64+0x10017961a)
    #9 0x10e37c854 in mrb_vm_run (mirb:x86_64+0x10016d854)
    #10 0x10e212037 in main mirb.c:549
    #11 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)

0x604000081110 is located 0 bytes inside of 48-byte region [0x604000081110,0x604000081140)
freed by thread T0 here:
    #0 0x10e6523e6 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x593e6)
    #1 0x10e30e6eb in mrb_default_allocf (mirb:x86_64+0x1000ff6eb)
    #2 0x10e28fe09 in mrb_free gc.c:272
    #3 0x10e30ed57 in mrb_irep_free (mirb:x86_64+0x1000ffd57)
    #4 0x10e30ea17 in mrb_irep_decref (mirb:x86_64+0x1000ffa17)
    #5 0x10e290f7d in obj_free gc.c:828
    #6 0x10e29a66e in incremental_sweep_phase gc.c:1064
    #7 0x10e298fcd in incremental_gc gc.c:1130
    #8 0x10e294d26 in incremental_gc_until gc.c:1146
    #9 0x10e295127 in clear_all_old gc.c:1172
    #10 0x10e28ec82 in mrb_full_gc gc.c:1238
    #11 0x10e296958 in gc_start gc.c:1322
    #12 0x10e38861a in mrb_vm_exec (mirb:x86_64+0x10017961a)
    #13 0x10e37c854 in mrb_vm_run (mirb:x86_64+0x10016d854)
    #14 0x10e212037 in main mirb.c:549
    #15 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10e6525b0 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x595b0)
    #1 0x10e30e705 in mrb_default_allocf (mirb:x86_64+0x1000ff705)
    #2 0x10e28e9f8 in mrb_realloc_simple gc.c:204
    #3 0x10e28f1ba in mrb_realloc gc.c:218
    #4 0x10e28fc93 in mrb_malloc gc.c:240
    #5 0x10e30f7d3 in mrb_str_pool (mirb:x86_64+0x1001007d3)
    #6 0x10e463a7d in new_lit (mirb:x86_64+0x100254a7d)
    #7 0x10e44cc05 in codegen (mirb:x86_64+0x10023dc05)
    #8 0x10e4438b9 in codegen (mirb:x86_64+0x1002348b9)
    #9 0x10e43e317 in codegen (mirb:x86_64+0x10022f317)
    #10 0x10e457037 in scope_body (mirb:x86_64+0x100248037)
    #11 0x10e44233f in codegen (mirb:x86_64+0x10023333f)
    #12 0x10e43b406 in mrb_generate_code (mirb:x86_64+0x10022c406)
    #13 0x10e211d38 in main mirb.c:537
    #14 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:727 in mrb_gc_mark
Shadow bytes around the buggy address:
  0x1c08000101d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c08000101e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c08000101f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800010200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800010210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x1c0800010220: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c0800010230: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c0800010240: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800010250: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800010260: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x1c0800010270: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90704==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.