Actions
Bug #10957
closedseg fault in ruby_yyparse () at parse.y:2105 (null ptr / stack overflow)
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux]
Description
Built ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux] from git source earlier this evening. This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl) and was compiled as follows:
CC=afl-gcc ./configure && AFL_HARDEN=1 make -j8 && make install
Valgrind:
==41211== Invalid write of size 1
==41211== at 0x827873: reserve_stack (thread_pthread.c:684)
==41211== by 0x842871: ruby_init_stack (thread_pthread.c:713)
==41211== by 0x1337E8: main (main.c:34)
==41211== Address 0x7fe8010e0 is on thread 1's stack
==41211==
==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010e0
==41211==
==41211== Process terminating with default action of signal 11 (SIGSEGV)
==41211== Access not within mapped region at address 0x7FE8010E0
==41211== at 0x827873: reserve_stack (thread_pthread.c:684)
==41211== If you believe this happened as a result of a stack
==41211== overflow in your program's main thread (unlikely but
==41211== possible), you can try to increase the size of the
==41211== main thread stack using the --main-stacksize= flag.
==41211== The main thread stack size used in this run was 8388608.
==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010d9
==41211==
==41211== Process terminating with default action of signal 11 (SIGSEGV)
==41211== Access not within mapped region at address 0x7FE8010D9
==41211== at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58)
==41211== If you believe this happened as a result of a stack
==41211== overflow in your program's main thread (unlikely but
==41211== possible), you can try to increase the size of the
==41211== main thread stack using the --main-stacksize= flag.
==41211== The main thread stack size used in this run was 8388608.
Segmentation fault
GDB:
gdb-peda$ file ruby
gdb-peda$ set args test00-min
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6c00700 (LWP 48391)]
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x555556679f20 --> 0xd71c
RBX: 0xd1
RCX: 0x0
RDX: 0x1
RSI: 0x0
RDI: 0x0
RBP: 0xd71c
RSP: 0x7fffffffbe70 --> 0x7fff000000d1
RIP: 0x555555f312f8 (<ruby_yyparse+148344>: mov r11,QWORD PTR [rsi])
R8 : 0x5555566651c0 --> 0x555556678000 (0x00005555566651c0)
R9 : 0x0
R10: 0x3900 ('')
R11: 0xfffffffffffa360a
R12: 0x555556679f20 --> 0xd71c
R13: 0x7fffffffc120 --> 0x555556679f48 --> 0xb91c
R14: 0x7fffffffbf6c --> 0x55befb3e026f021d
R15: 0x555556402060 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555f312ee <ruby_yyparse+148334>: mov r12,rax
0x555555f312f1 <ruby_yyparse+148337>: mov QWORD PTR [rax],rbp
0x555555f312f4 <ruby_yyparse+148340>: mov rsi,QWORD PTR [r13-0x10]
=> 0x555555f312f8 <ruby_yyparse+148344>: mov r11,QWORD PTR [rsi]
0x555555f312fb <ruby_yyparse+148347>: and r11d,0x7f00
0x555555f31302 <ruby_yyparse+148354>: cmp r11,0x3900
0x555555f31309 <ruby_yyparse+148361>: jne 0x555555f0ee47 <ruby_yyparse+7879>
0x555555f3130f <ruby_yyparse+148367>: nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffbe70 --> 0x7fff000000d1
0008| 0x7fffffffbe78 --> 0x555500000000 ('')
0016| 0x7fffffffbe80 --> 0x7fffffffbf60 --> 0xe6004c00020000
0024| 0x7fffffffbe88 --> 0xd1
0032| 0x7fffffffbe90 --> 0xc8
0040| 0x7fffffffbe98 --> 0x0
0048| 0x7fffffffbea0 --> 0x7fffffffc0f0 --> 0x88cf9f52f8c4423
0056| 0x7fffffffbea8 --> 0x7fffffffbf60 --> 0xe6004c00020000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555f312f8 in ruby_yyparse () at parse.y:2105
2105 if (nd_type($1) == NODE_LIT && FIXNUM_P($1->nd_lit) &&
gdb-peda$ exploit
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: 8e697703610f21a0a2aaec98723ec089.0b098a66d2dd0257594a0e5fb055f0de
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
Other tags: AccessViolation (21/22)
Hexdump of the 7-byte test case:
0000000 2070 2928 2e2e 0030
0000007
System Info: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8
Files
Actions
Like0
Like0Like0Like0Like0Like0Like0Like0Like0