Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault due to invalid read in dispatch_linked #3927

Closed
clayton-shopify opened this issue Jan 12, 2018 · 0 comments
Closed

Segfault due to invalid read in dispatch_linked #3927

clayton-shopify opened this issue Jan 12, 2018 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

The following input demonstrates a crash: 301269.txt

This issue appears quite similar to #3901.

ASAN report:

==8356==ERROR: AddressSanitizer: heap-use-after-free on address 0x000101323804 at pc 0x000100a0f00c bp 0x7ffeef43cc30 sp 0x7ffeef43cc28
READ of size 4 at 0x000101323804 thread T0
Provided dSYM: [/Users/clayton/git/mruby/bin/mruby.dSYM/Contents/Resources/DWARF/mruby] does not match symbol owner 0x7fe899d009f0
    #0 0x100a0f00b in dispatch_linked codegen.c:436
    #1 0x100a0fb58 in loop_pop codegen.c:3042
    #2 0x1009f9734 in codegen codegen.c:1540
    #3 0x1009f69a7 in codegen codegen.c:1320
    #4 0x100a0fd37 in scope_body codegen.c:773
    #5 0x1009fac25 in codegen codegen.c:1636
    #6 0x1009f38b6 in mrb_generate_code codegen.c:3065
    #7 0x100a4c2bc in mrb_load_exec parse.y:5815
    #8 0x100a4de85 in mrb_load_file_cxt parse.y:5849
    #9 0x1007b9d3c in main mruby.c:227
    #10 0x7fff7cd23114 in start (libdyld.dylib:x86_64+0x1114)

0x000101323804 is located 8196 bytes inside of 131072-byte region [0x000101321800,0x000101341800)
freed by thread T0 here:
    #0 0x10174a230 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59230)
    #1 0x10083fd75 in mrb_default_allocf state.c:55
    #2 0x1009547d8 in mrb_realloc_simple gc.c:206
    #3 0x100a0d0a5 in codegen_realloc codegen.c:136
    #4 0x100a0d66d in genop codegen.c:154
    #5 0x100a12e86 in genop_peep codegen.c:386
    #6 0x100a19e93 in loop_break codegen.c:3011
    #7 0x100a018a2 in codegen codegen.c:2093
    #8 0x1009f7a66 in codegen codegen.c:1388
    #9 0x1009f6b61 in codegen codegen.c:1334
    #10 0x1009f931b in codegen codegen.c:1533
    #11 0x1009f69a7 in codegen codegen.c:1320
    #12 0x100a0fd37 in scope_body codegen.c:773
    #13 0x1009fac25 in codegen codegen.c:1636
    #14 0x1009f38b6 in mrb_generate_code codegen.c:3065
    #15 0x100a4c2bc in mrb_load_exec parse.y:5815
    #16 0x100a4de85 in mrb_load_file_cxt parse.y:5849
    #17 0x1007b9d3c in main mruby.c:227
    #18 0x7fff7cd23114 in start (libdyld.dylib:x86_64+0x1114)

previously allocated by thread T0 here:
    #0 0x10174a230 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59230)
    #1 0x10083fd75 in mrb_default_allocf state.c:55
    #2 0x1009547d8 in mrb_realloc_simple gc.c:206
    #3 0x100a0d0a5 in codegen_realloc codegen.c:136
    #4 0x100a0d66d in genop codegen.c:154
    #5 0x100a16fa0 in gen_call codegen.c:976
    #6 0x1009fac53 in codegen codegen.c:1641
    #7 0x1009f7a66 in codegen codegen.c:1388
    #8 0x1009f69a7 in codegen codegen.c:1320
    #9 0x100a0fd37 in scope_body codegen.c:773
    #10 0x1009fac25 in codegen codegen.c:1636
    #11 0x1009f38b6 in mrb_generate_code codegen.c:3065
    #12 0x100a4c2bc in mrb_load_exec parse.y:5815
    #13 0x100a4de85 in mrb_load_file_cxt parse.y:5849
    #14 0x1007b9d3c in main mruby.c:227
    #15 0x7fff7cd23114 in start (libdyld.dylib:x86_64+0x1114)

SUMMARY: AddressSanitizer: heap-use-after-free codegen.c:436 in dispatch_linked
Shadow bytes around the buggy address:
  0x1000202646b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1000202646c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1000202646d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1000202646e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1000202646f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x100020264700:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100020264710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100020264720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100020264730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100020264740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100020264750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8356==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/j0s3
@matz matz closed this as completed in ec63b1a Jan 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clayton-shopify