Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault at mrb_io_s_select #4966

Closed
pnoltof opened this issue Apr 9, 2020 · 1 comment
Closed

Segmentation fault at mrb_io_s_select #4966

pnoltof opened this issue Apr 9, 2020 · 1 comment

Comments

@pnoltof
Copy link

pnoltof commented Apr 9, 2020

When the following mruby code is executed with mruby in
version 63c7ff3, mruby crashes because of a segmentation violation:

#This input causes mruby to crash
#this bug was found using nautilus 2.0: https://github.com/nautilus-fuzz/nautilus
d=[1,nil," sdfg"]
srand(1337)
b = to_s.srand()
c = File.new(b)
a = d.prepend(c)
c = File.select(d)

ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==84900==ERROR: AddressSanitizer: SEGV on unknown address 0x1000802b320e (pc 0x00000072e9ad bp 0x7ffffc59bcf0 sp 0x7ffffc59a6a0 T0)                                                                       
==84900==The signal is caused by a READ memory access.                                               
    #0 0x72e9ac in mrb_io_s_select (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x72e9ac)
    #1 0x62c651 in mrb_vm_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x62c651)
    #2 0x61c3d4 in mrb_vm_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x61c3d4)
    #3 0x67323f in mrb_top_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x67323f)
    #4 0x5eda0d in mrb_load_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5eda0d)
    #5 0x5ee71d in mrb_load_file_cxt (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5ee71d)
    #6 0x4c56df in main (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x4c56df)
    #7 0x7fc551b5e1e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
    #8 0x41c68d in _start (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x41c68d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x72e9ac) in mrb_io_s_select
==84900==ABORTING

dearblue added a commit to dearblue/mruby that referenced this issue Apr 11, 2020
dearblue added a commit to dearblue/mruby that referenced this issue Apr 11, 2020
@dearblue
Copy link
Contributor

dearblue commented Apr 11, 2020

I will send a pull request when Travis-ci maintenance is complete.

dearblue added a commit to dearblue/mruby that referenced this issue Apr 12, 2020
dearblue added a commit to dearblue/mruby that referenced this issue Apr 12, 2020
dearblue added a commit to dearblue/mruby that referenced this issue Apr 12, 2020
dearblue added a commit to dearblue/mruby that referenced this issue Apr 12, 2020
dearblue added a commit to dearblue/mruby that referenced this issue Apr 12, 2020
@matz matz closed this as completed in 7add524 Apr 14, 2020
matz added a commit that referenced this issue Apr 15, 2020
Check the file descriptor with `IO#initialize`; resolve #4966
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants