Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault at mrbgems/mruby-metaprog/src/metaprog.c:142 #4955

Closed
pnoltof opened this issue Mar 30, 2020 · 1 comment
Closed

Segmentation fault at mrbgems/mruby-metaprog/src/metaprog.c:142 #4955

pnoltof opened this issue Mar 30, 2020 · 1 comment

Comments

@pnoltof
Copy link

pnoltof commented Mar 30, 2020

When the following mruby code is executed with mruby in
version 137aa18006410365769f91110eb96d7d121c423f, mruby crashes because of a segmentation violation:

#This input causes mruby to crash
#this bug was found using nautilus 2.0: https://github.com/nautilus-fuzz/nautilus 
b=0
c={1=>1, 2=>"foo", "foo"=>nil, nil=> nil}
d = c.collect(){|c| d = c.collect(){|| b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
b = methods.sample(){||  }
 }
 }
c = rand.method(b,){||  }
d = c.call(){||  }

ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==84518==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x564462f04eb2 bp 0x7ffe3fe42330 sp 0x7ffe3fe42270 T0)
==84518==The signal is caused by a READ memory access.                                                                                                    
==84518==Hint: address points to the zero page.
    #0 0x564462f04eb1 in mrb_local_variables (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x15eeb1)
    #1 0x564462e7ff4f in mrb_funcall_with_block (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd9f4f)
    #2 0x564462f4c57d in mcall (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x1a657d)
    #3 0x564462f4c9f0 in method_call (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x1a69f0)
    #4 0x564462e8ee7d in mrb_vm_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xe8e7d)
    #5 0x564462e84006 in mrb_vm_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xde006)
    #6 0x564462eb740a in mrb_top_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x11140a)
    #7 0x564462e76ac7 in mrb_load_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd0ac7)
    #8 0x564462e76bfc in mrb_load_file_cxt (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0xd0bfc)
    #9 0x564462dd9a51 in main (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x33a51)
    #10 0x7f76a40581e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #11 0x564462dd710d in _start (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x3110d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x15eeb1) in mrb_local_variables
==84518==ABORTING
@dearblue
Copy link
Contributor

It is a good report!

c = rand.method(b,){||  }
d = c.call(){||  }

Since the value of b in this part is :local_variables, the minimum reproduction code should look like this.

method(:local_variables).call

Here are the problematic parts that are NULL dereferenced:

if (MRB_PROC_CFUNC_P(proc)) {

@matz matz closed this as completed in 9b15860 Mar 31, 2020
matz added a commit that referenced this issue Mar 31, 2020
Fix NULL pointer dereferences in mrb_local_variables; fix #4955
Reckordp pushed a commit to Reckordp/mruby that referenced this issue Apr 5, 2020
However, the behavior of `#call` on the method object of
`local_variables` is not corrected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants