When the following mruby code is executed with mruby in
version 137aa18006410365769f91110eb96d7d121c423f, mruby crashes because of a segmentation violation:
#This input causes mruby to crash
#this bug was found using nautilus 2.0: https://github.com/nautilus-fuzz/nautilus
b=0
c={1=>1, 2=>"foo", "foo"=>nil, nil=> nil}
d = c.collect(){|c| d = c.collect(){|| b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
b = methods.sample(){|| }
}
}
c = rand.method(b,){|| }
d = c.call(){|| }
ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==84518==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x564462f04eb2 bp 0x7ffe3fe42330 sp 0x7ffe3fe42270 T0)
==84518==The signal is caused by a READ memory access.
==84518==Hint: address points to the zero page.
#0 0x564462f04eb1 in mrb_local_variables (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x15eeb1)
#1 0x564462e7ff4f in mrb_funcall_with_block (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd9f4f)
#2 0x564462f4c57d in mcall (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x1a657d)
#3 0x564462f4c9f0 in method_call (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x1a69f0)
#4 0x564462e8ee7d in mrb_vm_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xe8e7d)
#5 0x564462e84006 in mrb_vm_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xde006)
#6 0x564462eb740a in mrb_top_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x11140a)
#7 0x564462e76ac7 in mrb_load_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd0ac7)
#8 0x564462e76bfc in mrb_load_file_cxt (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd0bfc)
#9 0x564462dd9a51 in main (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x33a51)
#10 0x7f76a40581e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#11 0x564462dd710d in _start (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x3110d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x15eeb1) in mrb_local_variables
==84518==ABORTING
When the following mruby code is executed with mruby in
version 137aa18006410365769f91110eb96d7d121c423f, mruby crashes because of a segmentation violation:
ASAN output: