Project

General

Profile

Actions

Bug #13755

closed

Null pointer dereference in hash_table_index()

Added by fumfel (Kamil Frankowicz) over 7 years ago. Updated over 7 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux]
[ruby-core:82108]

Description

After some fuzz testing I found a crashing test case.

To reproduce: miniruby ruby_null_ptr_hash_table_index

Valgrind Context:

==945== Memcheck, a memory error detector
==945== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==945== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==945== Command: XYZ/ruby/miniruby ruby_null_ptr_hash_table_index
==945== 
==945== Warning: client switching stacks?  SP change: 0xfff000160 --> 0xffe8020f0
==945==          to suppress, use: --max-stackframe=8380528 or greater
==945== Invalid write of size 1
==945==    at 0x4A9350: reserve_stack (thread_pthread.c:722)
==945==    by 0x4A921F: ruby_init_stack (thread_pthread.c:757)
==945==    by 0x12D96D: main (main.c:40)
==945==  Address 0xffe8020f0 is on thread 1's stack
==945==  in frame #0, created by reserve_stack (thread_pthread.c:677)
==945== 
==945== Warning: client switching stacks?  SP change: 0xffe8020f0 --> 0xfff000280
==945==          to suppress, use: --max-stackframe=8380816 or greater
==945== Invalid read of size 4
==945==    at 0x4A7C2D: hash_table_index (id_table.c:131)
==945==    by 0x4A7C2D: rb_id_table_lookup (id_table.c:229)
==945==    by 0x52860A: lookup_method_table (vm_method.c:182)
==945==    by 0x52860A: search_method (vm_method.c:699)
==945==    by 0x52860A: method_entry_get_without_cache (vm_method.c:724)
==945==    by 0x52860A: method_entry_get (vm_method.c:788)
==945==    by 0x5288C3: rb_callable_method_entry (vm_method.c:835)
==945==    by 0x51D933: vm_search_method (vm_insnhelper.c:1296)
==945==    by 0x51D933: vm_exec_core (insns.def:1176)
==945==    by 0x53E2D3: vm_exec (vm.c:1788)
==945==    by 0x2389BC: ruby_exec_internal (eval.c:244)
==945==    by 0x2389BC: ruby_exec_node (eval.c:308)
==945==    by 0x2389BC: ruby_run_node (eval.c:300)
==945==    by 0x12D988: main (in XYZ/ruby/miniruby)
==945==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==945== 
ruby_null_ptr_hash_table_index:1: [BUG] Segmentation fault at 0x0000000000000000
ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0002 p:0037 s:0008 E:000e18 EVAL   ruby_null_ptr_hash_table_index:1 [FINISH]
c:0001 p:0000 s:0003 E:000440 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
ruby_null_ptr_hash_table_index:1:in `<main>'

-- Machine register context ------------------------------------------------
 RIP: 0x00000000004a7c2d RBP: 0x0000000000b9647f RSP: 0x0000000ffefffc30
 RAX: 0x00000000000099f1 RBX: 0x00000000008419e0 RCX: 0x00000000008522f0
 RDX: 0x0000000ffefffc70 RDI: 0x0000000000000000 RSI: 0x000000000000002f
  R8: 0x00000000008419e0  R9: 0xfffffffffffffffc R10: 0x000000000000002f
 R11: 0xfffffffffffffffc R12: 0xfffffffffffffffc R13: 0x0000000ffefffc70
 R14: 0x0000000000000000 R15: 0x0000000005cb2280 EFL: 0x0000000000000004

-- C level backtrace information -------------------------------------------
XYZ/ruby/miniruby(rb_vm_bugreport+0x2b7) [0x5673c7] vm_dump.c:671
XYZ/ruby/miniruby(rb_bug_context+0x2e6) [0x227246] error.c:534
XYZ/ruby/miniruby(sigsegv+0x6e) [0x42a9ee] signal.c:930
/lib/x86_64-linux-gnu/libpthread.so.0 [0x4e4b390]
XYZ/ruby/miniruby(rb_id_table_lookup+0x3d) [0x4a7c2d] ./symbol.h:60
XYZ/ruby/miniruby(method_entry_get+0x1ab) [0x52860b] ./vm_method.c:182
XYZ/ruby/miniruby(rb_callable_method_entry+0x44) [0x5288c4] ./vm_method.c:835
XYZ/ruby/miniruby(vm_exec_core+0xf894) [0x51d934] ./vm_insnhelper.c:1296
XYZ/ruby/miniruby(vm_exec+0x194) [0x53e2d4] vm.c:1788
XYZ/ruby/miniruby(ruby_run_node+0x27d) [0x2389bd] eval.c:244
XYZ/ruby/miniruby(main+0x89) [0x12d989] ./main.c:42

-- Other runtime information -----------------------------------------------

* Loaded script: ruby_null_ptr_hash_table_index

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so

* Process memory map:

00108000-0063b000 r-xp 00000000 fc:00 530955                             XYZ/ruby/miniruby
0083b000-00841000 r--p 00533000 fc:00 530955                             XYZ/ruby/miniruby
00841000-00842000 rw-p 00539000 fc:00 530955                             XYZ/ruby/miniruby
00842000-00863000 rw-p 00000000 00:00 0 
04000000-04026000 r-xp 00000000 fc:00 415243                             /lib/x86_64-linux-gnu/ld-2.23.so
04026000-04028000 rw-p 00000000 00:00 0 
04028000-04029000 ---p 00000000 00:00 0 
04029000-0402c000 rw-p 00000000 00:00 0 
0402f000-04033000 rw-p 00000000 00:00 0 
04033000-04055000 r--s 00000000 fc:00 415248                             /lib/x86_64-linux-gnu/libpthread-2.23.so
04055000-0421e000 r--s 00000000 fc:00 415265                             /lib/x86_64-linux-gnu/libc-2.23.so
04225000-04226000 r--p 00025000 fc:00 415243                             /lib/x86_64-linux-gnu/ld-2.23.so
04226000-04227000 rw-p 00026000 fc:00 415243                             /lib/x86_64-linux-gnu/ld-2.23.so
04227000-04228000 rw-p 00000000 00:00 0 
04228000-04229000 rwxp 00000000 00:00 0 
04a28000-04a29000 r-xp 00000000 fc:00 45562                              /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04a29000-04c28000 ---p 00001000 fc:00 45562                              /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c28000-04c29000 r--p 00000000 fc:00 45562                              /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c29000-04c2a000 rw-p 00001000 fc:00 45562                              /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c2a000-04c39000 r-xp 00000000 fc:00 45533                              /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c39000-04e38000 ---p 0000f000 fc:00 45533                              /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e38000-04e39000 r--p 0000e000 fc:00 45533                              /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e39000-04e3a000 rw-p 0000f000 fc:00 45533                              /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e3a000-04e52000 r-xp 00000000 fc:00 415248                             /lib/x86_64-linux-gnu/libpthread-2.23.so
04e52000-05051000 ---p 00018000 fc:00 415248                             /lib/x86_64-linux-gnu/libpthread-2.23.so
05051000-05052000 r--p 00017000 fc:00 415248                             /lib/x86_64-linux-gnu/libpthread-2.23.so
05052000-05053000 rw-p 00018000 fc:00 415248                             /lib/x86_64-linux-gnu/libpthread-2.23.so
05053000-05057000 rw-p 00000000 00:00 0 
05057000-0505a000 r-xp 00000000 fc:00 415254                             /lib/x86_64-linux-gnu/libdl-2.23.so
0505a000-05259000 ---p 00003000 fc:00 415254                             /lib/x86_64-linux-gnu/libdl-2.23.so
05259000-0525a000 r--p 00002000 fc:00 415254                             /lib/x86_64-linux-gnu/libdl-2.23.so
0525a000-0525b000 rw-p 00003000 fc:00 415254                             /lib/x86_64-linux-gnu/libdl-2.23.so
0525b000-05264000 r-xp 00000000 fc:00 415247                             /lib/x86_64-linux-gnu/libcrypt-2.23.so
05264000-05463000 ---p 00009000 fc:00 415247                             /lib/x86_64-linux-gnu/libcrypt-2.23.so
05463000-05464000 r--p 00008000 fc:00 415247                             /lib/x86_64-linux-gnu/libcrypt-2.23.so
05464000-05465000 rw-p 00009000 fc:00 415247                             /lib/x86_64-linux-gnu/libcrypt-2.23.so
05465000-05493000 rw-p 00000000 00:00 0 
05493000-0559b000 r-xp 00000000 fc:00 415260                             /lib/x86_64-linux-gnu/libm-2.23.so
0559b000-0579a000 ---p 00108000 fc:00 415260                             /lib/x86_64-linux-gnu/libm-2.23.so
0579a000-0579b000 r--p 00107000 fc:00 415260                             /lib/x86_64-linux-gnu/libm-2.23.so
0579b000-0579c000 rw-p 00108000 fc:00 415260                             /lib/x86_64-linux-gnu/libm-2.23.so
0579c000-0595c000 r-xp 00000000 fc:00 415265                             /lib/x86_64-linux-gnu/libc-2.23.so
0595c000-05b5c000 ---p 001c0000 fc:00 415265                             /lib/x86_64-linux-gnu/libc-2.23.so
05b5c000-05b60000 r--p 001c0000 fc:00 415265                             /lib/x86_64-linux-gnu/libc-2.23.so
05b60000-05b62000 rw-p 001c4000 fc:00 415265                             /lib/x86_64-linux-gnu/libc-2.23.so
05b62000-05b66000 rw-p 00000000 00:00 0 
05b66000-05f66000 rwxp 00000000 00:00 0 
05f66000-0623e000 r--p 00000000 fc:00 15064                              /usr/lib/locale/locale-archive
0623e000-06254000 r-xp 00000000 fc:00 392981                             /lib/x86_64-linux-gnu/libgcc_s.so.1
06254000-06453000 ---p 00016000 fc:00 392981                             /lib/x86_64-linux-gnu/libgcc_s.so.1
06453000-06454000 rw-p 00015000 fc:00 392981                             /lib/x86_64-linux-gnu/libgcc_s.so.1
06454000-070bc000 r--s 00000000 fc:00 530955                             XYZ/ruby/miniruby
38000000-3821f000 r-xp 00000000 fc:00 45619                              /usr/lib/valgrind/memcheck-amd64-linux
3841f000-38422000 rw-p 0021f000 fc:00 45619                              /usr/lib/valgrind/memcheck-amd64-linux
38422000-395d8000 rw-p 00000000 00:00 0 
802001000-802ab4000 rwxp 00000000 00:00 0 
802ab4000-802ab5000 rw-s 00000000 fc:00 14022                            /tmp/vgdb-pipe-shared-mem-vgdb-945-by-root-on-???
802ab5000-802b79000 rwxp 00000000 00:00 0 
802b7c000-802eb0000 rwxp 00000000 00:00 0 
802eb2000-802ec2000 rwxp 00000000 00:00 0 
802eea000-802f32000 rwxp 00000000 00:00 0 
802f71000-8031a1000 rwxp 00000000 00:00 0 
8031a1000-8031a3000 ---p 00000000 00:00 0 
8031a3000-8032a3000 rwxp 00000000 00:00 0 
8032a3000-8032a5000 ---p 00000000 00:00 0 
8032a5000-8033a5000 rwxp 00000000 00:00 0 
80345a000-8056d9000 rwxp 00000000 00:00 0 
8057d9000-8058d9000 rwxp 00000000 00:00 0 
8058d9000-8058db000 ---p 00000000 00:00 0 
8058db000-8059db000 rwxp 00000000 00:00 0 
8059db000-8059dd000 ---p 00000000 00:00 0 
805ad9000-805dd9000 rwxp 00000000 00:00 0 
8060ce000-8066f2000 rwxp 00000000 00:00 0 
ffe802000-fff001000 rw-p 00000000 00:00 0 
7ffe3c35d000-7ffe3c37e000 rw-p 00000000 00:00 0                          [stack]
7ffe3c3f6000-7ffe3c3f8000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

==945== 
==945== Process terminating with default action of signal 6 (SIGABRT)
==945==    at 0x57D1428: raise (raise.c:54)
==945==    by 0x57D3029: abort (abort.c:89)
==945==    by 0x22730C: die (error.c:506)
==945==    by 0x22730C: rb_bug_context (error.c:536)
==945==    by 0x42A9ED: sigsegv (signal.c:930)
==945==    by 0x4E4B38F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==945==    by 0x4A7C2C: rb_id_to_serial (symbol.h:60)
==945==    by 0x4A7C2C: id2key (id_table.c:25)
==945==    by 0x4A7C2C: rb_id_table_lookup (id_table.c:228)
==945== 
==945== HEAP SUMMARY:
==945==     in use at exit: 2,132,137 bytes in 6,161 blocks
==945==   total heap usage: 6,604 allocs, 443 frees, 2,325,597 bytes allocated
==945== 
==945== LEAK SUMMARY:
==945==    definitely lost: 341 bytes in 4 blocks
==945==    indirectly lost: 2,472 bytes in 37 blocks
==945==      possibly lost: 733,266 bytes in 5,650 blocks
==945==    still reachable: 1,396,058 bytes in 470 blocks
==945==         suppressed: 0 bytes in 0 blocks
==945== Rerun with --leak-check=full to see details of leaked memory
==945== 
==945== For counts of detected and suppressed errors, rerun with: -v
==945== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Files

ruby_null_ptr_hash_table_index (34 Bytes) ruby_null_ptr_hash_table_index POC to trigger null pointer dereference fumfel (Kamil Frankowicz), 07/19/2017 10:16 AM

Related issues 2 (0 open2 closed)

Related to Ruby master - Feature #4840: Allow returning from requireClosednobu (Nobuyoshi Nakada)Actions
Has duplicate Ruby master - Bug #13760: Another iseq_set_sequence: adjust bug 1 < 2ClosedActions
Actions #1

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • Status changed from Open to Closed

Applied in changeset trunk|r59374.


compile.c: restore stack at return

  • compile.c (iseq_compile_each0): restore the stack depth after
    return to the previous depth, to fix the stack depth at
    returning from rescue iseq. [ruby-core:82108] [Bug #13755]
Actions #2

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

Actions #3

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
Actions #4

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • Has duplicate Bug #13760: Another iseq_set_sequence: adjust bug 1 < 2 added

Updated by nagachika (Tomoyuki Chikanaga) over 7 years ago

  • Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE

ruby_2_4 r59507 merged revision(s) 59374.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0