Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_ENTER #4038

Closed
clayton-shopify opened this issue Jun 5, 2018 · 0 comments
Closed

Heap buffer overflow in OP_ENTER #4038

clayton-shopify opened this issue Jun 5, 2018 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

@clayton-shopify clayton-shopify commented Jun 5, 2018

The following input demonstrates a crash:

Fiber::new {|x|}.transfer(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62) 

This issue looks similar to #3641.

ASAN report:

==42706==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e80 at pc 0x00010d30e3fe bp 0x7ffee2dcd970 sp 0x7ffee2dcd120
READ of size 16 at 0x619000000e80 thread T0
    #0 0x10d30e3fd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f3fd)
    #1 0x10cedd8a8 in mrb_vm_exec vm.c:1859
    #2 0x10cec672b in mrb_vm_run vm.c:950
    #3 0x10cefe483 in mrb_top_run vm.c:3005
    #4 0x10d0fe067 in mrb_load_exec parse.y:5835
    #5 0x10d0feea9 in mrb_load_file_cxt parse.y:5844
    #6 0x10ce2a685 in main mruby.c:279
    #7 0x7fff76f6d014 in start (libdyld.dylib:x86_64+0x1014)

0x619000000e80 is located 0 bytes to the right of 1024-byte region [0x619000000a80,0x619000000e80)
allocated by thread T0 here:
    #0 0x10d3161a7 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x571a7)
    #1 0x10ceb2af5 in mrb_default_allocf state.c:55
    #2 0x10cfc9908 in mrb_realloc_simple gc.c:206
    #3 0x10cfca0d1 in mrb_realloc gc.c:220
    #4 0x10cfcaba3 in mrb_malloc gc.c:242
    #5 0x10d09953e in fiber_init fiber.c:97
    #6 0x10ce71499 in mrb_instance_new class.c:1591
    #7 0x10ced2fe1 in mrb_vm_exec vm.c:1472
    #8 0x10cec672b in mrb_vm_run vm.c:950
    #9 0x10cefe483 in mrb_top_run vm.c:3005
    #10 0x10d0fe067 in mrb_load_exec parse.y:5835
    #11 0x10d0feea9 in mrb_load_file_cxt parse.y:5844
    #12 0x10ce2a685 in main mruby.c:279
    #13 0x7fff76f6d014 in start (libdyld.dylib:x86_64+0x1014)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4f3fd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3200000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c32000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c32000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c32000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c32000001d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c32000001e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c32000001f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200000210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200000220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42706==ABORTING
Abort trap: 6

This issue was reported by Daniel Teuchert, Cornelius Aschermann, Tommaso Frassetto and Tigist Abera (https://hackerone.com/pnoltof).

matz added a commit that referenced this issue Jun 7, 2018
This change is required to support #4038.
@matz matz closed this in 7785005 Jun 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.