Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of uninitialized pointer in mrb_hash_keys #4027

Closed
clayton-shopify opened this issue May 28, 2018 · 0 comments
Closed

Use of uninitialized pointer in mrb_hash_keys #4027

clayton-shopify opened this issue May 28, 2018 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

The following input demonstrates a crash:

(Hash::prepend Enumerable).dup()

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==37239==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000106e6eca0 bp 0x7ffee9eb6080 sp 0x7ffee9eb6080 T0)
==37239==The signal is caused by a READ memory access.
==37239==Hint: address points to the zero page.
    #0 0x106e6ec9f in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x15c9f)
    #1 0x106ea8538 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f538)
    #2 0x105e521d1 in mrb_hash_keys hash.c:768
    #3 0x105ddf551 in mrb_vm_exec vm.c:1472
    #4 0x105dd2c9b in mrb_vm_run vm.c:950
    #5 0x105dc94cf in mrb_run vm.c:2991
    #6 0x105dc6df0 in mrb_funcall_with_block vm.c:506
    #7 0x105dc2fa9 in mrb_funcall_argv vm.c:516
    #8 0x105dc29e6 in mrb_funcall vm.c:396
    #9 0x105d4c176 in init_copy kernel.c:300
    #10 0x105d4caab in mrb_obj_dup kernel.c:383
    #11 0x105d5dc13 in copy_class kernel.c:265
    #12 0x105d4bd99 in init_copy kernel.c:284
    #13 0x105d4a43e in mrb_obj_clone kernel.c:345
    #14 0x105ddf551 in mrb_vm_exec vm.c:1472
    #15 0x105dd2c9b in mrb_vm_run vm.c:950
    #16 0x105e0a9f3 in mrb_top_run vm.c:3005
    #17 0x10600a0c7 in mrb_load_exec parse.y:5835
    #18 0x10600af09 in mrb_load_file_cxt parse.y:5844
    #19 0x105d371d5 in main mruby.c:279
    #20 0x7fff65687014 in start (libdyld.dylib:x86_64+0x1014)

==37239==Register values:
rax = 0x0000100000000000  rbx = 0x0000000107c39880  rcx = 0x1d7d89af7d7d7ecc  rdx = 0x0000000000000000
rdi = 0xebec4d7bebebf660  rsi = 0x0000000000000010  rbp = 0x00007ffee9eb6080  rsp = 0x00007ffee9eb6080
 r8 = 0x0000007cbebebebe   r9 = 0x00007ffee9eb6404  r10 = 0x00007ffee9eb6660  r11 = 0x00001e1ee9eb1f00
r12 = 0x0000000000000010  r13 = 0x00007ffee9eb69a0  r14 = 0x00007ffee9eb69c0  r15 = 0xebec4d7bebebf660
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x15c9f) in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long)
==37239==ABORTING
Abort trap: 6

This issue was reported by Daniel Teuchert, Cornelius Aschermann, Tommaso Frassetto, and Tigist Abera (https://hackerone.com/pnoltof).
matz added a commit that referenced this issue May 30, 2018
@matz
Clear __classname__ of duped class/module; ref #4027
1dddc2f
@matz matz closed this as completed in b64ce17 May 30, 2018
ksekimoto added a commit to ksekimoto/mruby that referenced this issue Jul 16, 2021
@ksekimoto
Clear __classname__ of duped class/module; ref mruby#4027
adb98b8
ksekimoto added a commit to ksekimoto/mruby that referenced this issue Jul 16, 2021
@ksekimoto
Should not call initialize_copy for TT_ICLASS; fix mruby#4027
89f6aab 
Since `TT_ICLASS` is a internal object that should never be revealed
to Ruby world.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clayton-shopify