Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_class_real #4037

Closed
clayton-shopify opened this issue Jun 5, 2018 · 0 comments
Closed

Null pointer dereference in mrb_class_real #4037

clayton-shopify opened this issue Jun 5, 2018 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

@clayton-shopify clayton-shopify commented Jun 5, 2018

The following input demonstrates a crash:

BasicObject.prepend Enumerable

class BasicObject < Class
end

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==26786==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010d1fdfbe bp 0x7ffee2a2e4f0 sp 0x7ffee2a2e4b0 T0)
==26786==The signal is caused by a READ memory access.
==26786==Hint: address points to the zero page.
    #0 0x10d1fdfbd in mrb_class_real class.c:1768
    #1 0x10d1fdc86 in mrb_vm_define_class class.c:314
    #2 0x10d2946c2 in mrb_vm_exec vm.c:2821
    #3 0x10d265c2b in mrb_vm_run vm.c:950
    #4 0x10d29d983 in mrb_top_run vm.c:3005
    #5 0x10d4596e7 in mrb_load_exec parse.y:5835
    #6 0x10d45a529 in mrb_load_file_cxt parse.y:5844
    #7 0x10d1c9b85 in main mruby.c:279
    #8 0x7fff76f6d014 in start (libdyld.dylib:x86_64+0x1014)

==26786==Register values:
rax = 0x0000100000000001  rbx = 0x00007ffee2a2e5c0  rcx = 0x0000000000000000  rdx = 0x0000100000000000
rdi = 0x000062f000002e00  rsi = 0x00007ffee2a2e500  rbp = 0x00007ffee2a2e4f0  rsp = 0x00007ffee2a2e4b0
 r8 = 0x00001fffdc545c00   r9 = 0x00007ffee2a2e004  r10 = 0x00007ffee2a2e0a0  r11 = 0xffffffffffffffe0
r12 = 0x00007ffee2a35bc0  r13 = 0x00007ffee2a35be0  r14 = 0x00007ffee2a2e580  r15 = 0x00007ffee2a2e5a0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV class.c:1768 in mrb_class_real
==26786==ABORTING
Abort trap: 6

This issue was reported by Daniel Teuchert, Cornelius Aschermann, Tommaso Frassetto and Tigist Abera (https://hackerone.com/pnoltof).

@matz matz closed this in faa4eaf Jun 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.