Heap use-after-free in mrb_gc_mark #3829
Description
The following input demonstrates a crash, when supplied to mirb: 274561.txt
Note that this only works in mirb, not mruby.
It appears that the crash began in 7edbe42.
ASAN report:
==90704==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000081110 at pc 0x00010e294adf bp 0x7fff519e6320 sp 0x7fff519e6318
READ of size 4 at 0x604000081110 thread T0
#0 0x10e294ade in mrb_gc_mark gc.c:727
#1 0x10e29d5c7 in gc_mark_children gc.c:703
#2 0x10e29bd3f in gc_gray_mark gc.c:913
#3 0x10e299cb6 in incremental_marking_phase gc.c:1008
#4 0x10e298f84 in incremental_gc gc.c:1121
#5 0x10e294d26 in incremental_gc_until gc.c:1146
#6 0x10e28ed64 in mrb_full_gc gc.c:1246
#7 0x10e296958 in gc_start gc.c:1322
#8 0x10e38861a in mrb_vm_exec (mirb:x86_64+0x10017961a)
#9 0x10e37c854 in mrb_vm_run (mirb:x86_64+0x10016d854)
#10 0x10e212037 in main mirb.c:549
#11 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)
0x604000081110 is located 0 bytes inside of 48-byte region [0x604000081110,0x604000081140)
freed by thread T0 here:
#0 0x10e6523e6 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x593e6)
#1 0x10e30e6eb in mrb_default_allocf (mirb:x86_64+0x1000ff6eb)
#2 0x10e28fe09 in mrb_free gc.c:272
#3 0x10e30ed57 in mrb_irep_free (mirb:x86_64+0x1000ffd57)
#4 0x10e30ea17 in mrb_irep_decref (mirb:x86_64+0x1000ffa17)
#5 0x10e290f7d in obj_free gc.c:828
#6 0x10e29a66e in incremental_sweep_phase gc.c:1064
#7 0x10e298fcd in incremental_gc gc.c:1130
#8 0x10e294d26 in incremental_gc_until gc.c:1146
#9 0x10e295127 in clear_all_old gc.c:1172
#10 0x10e28ec82 in mrb_full_gc gc.c:1238
#11 0x10e296958 in gc_start gc.c:1322
#12 0x10e38861a in mrb_vm_exec (mirb:x86_64+0x10017961a)
#13 0x10e37c854 in mrb_vm_run (mirb:x86_64+0x10016d854)
#14 0x10e212037 in main mirb.c:549
#15 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x10e6525b0 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x595b0)
#1 0x10e30e705 in mrb_default_allocf (mirb:x86_64+0x1000ff705)
#2 0x10e28e9f8 in mrb_realloc_simple gc.c:204
#3 0x10e28f1ba in mrb_realloc gc.c:218
#4 0x10e28fc93 in mrb_malloc gc.c:240
#5 0x10e30f7d3 in mrb_str_pool (mirb:x86_64+0x1001007d3)
#6 0x10e463a7d in new_lit (mirb:x86_64+0x100254a7d)
#7 0x10e44cc05 in codegen (mirb:x86_64+0x10023dc05)
#8 0x10e4438b9 in codegen (mirb:x86_64+0x1002348b9)
#9 0x10e43e317 in codegen (mirb:x86_64+0x10022f317)
#10 0x10e457037 in scope_body (mirb:x86_64+0x100248037)
#11 0x10e44233f in codegen (mirb:x86_64+0x10023333f)
#12 0x10e43b406 in mrb_generate_code (mirb:x86_64+0x10022c406)
#13 0x10e211d38 in main mirb.c:537
#14 0x7fff9539d234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free gc.c:727 in mrb_gc_mark
Shadow bytes around the buggy address:
0x1c08000101d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000101e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000101f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800010200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800010210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x1c0800010220: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fa
0x1c0800010230: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x1c0800010240: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800010250: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800010260: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800010270: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==90704==ABORTING
Abort trap: 6
This issue was reported by https://hackerone.com/ssarong