Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault at mrb_vm_exec #4973

Closed
pnoltof opened this issue Apr 20, 2020 · 2 comments
Closed

Segmentation fault at mrb_vm_exec #4973

pnoltof opened this issue Apr 20, 2020 · 2 comments

Comments

@pnoltof
Copy link

pnoltof commented Apr 20, 2020

When the following mruby code is executed with mruby in
version c91c9e2, mruby crashes because of a segmentation violation:

#This input causes mruby to crash
#this bug was found using nautilus 2.0: https://github.com/nautilus-fuzz/nautilus
b="a"
c={1=>1, 2=>"foo", "foo"=>nil, nil=> nil}
b = b.sub(b){|| def b.instance_eval()
 end
 }
b = c.method(b){||  }
b = b.call(){||}

ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==65641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000062cfcc bp 0x7ffeb1da0570 sp 0x7ffeb1d94620 T0)                                                                       
==65641==The signal is caused by a READ memory access.                                               
==65641==Hint: address points to the zero page.
    #0 0x62cfcb in mrb_vm_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x62cfcb)
    #1 0x61c3d4 in mrb_vm_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x61c3d4)
    #2 0x67323f in mrb_top_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x67323f)
    #3 0x5eda0d in mrb_load_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5eda0d)
    #4 0x5ee71d in mrb_load_file_cxt (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5ee71d)
    #5 0x4c56df in main (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x4c56df)
    #6 0x7f2f635fa1e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x41c68d in _start (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x41c68d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x62cfcb) in mrb_vm_exec
==65641==ABORTING
matz added a commit that referenced this issue Apr 21, 2020
@matz matz closed this as completed in 61c6832 Apr 21, 2020
@shuujii
Copy link
Contributor

shuujii commented Apr 21, 2020

It seems that instance_exec and class_exec have the same issue. Both of the following examples crash.

[].method(:instance_exec).call{}
Array.method(:class_exec).call{}

matz added a commit that referenced this issue Apr 22, 2020
The difference between `mrb_singleton_class` and `mrb_singleton_class_ptr`:

- `mrb_singleton_class_ptr` returns `struct RClass*`.
- `mrb_singleton_class_ptr` returns `NULL` on immediate values where
  `mrb_singleton_class` raises exceptions.
matz added a commit that referenced this issue Apr 22, 2020
@matz
Copy link
Member

matz commented Apr 22, 2020

Thank you for the report @shuujii!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants