Project

General

Profile

Actions

Bug #13836

closed

Null pointer dereference in defined_expr0()

Added by fumfel (Kamil Frankowicz) over 6 years ago. Updated over 6 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.0dev (2017-08-03) [x86_64-linux]
[ruby-core:82447]

Description

After some fuzz testing I found a crashing test case.

To reproduce: miniruby ruby_null_ptr_defined_expr0

Context:

ruby_null_ptr_defined_expr0: [BUG] Segmentation fault at 0x0000000000000000
ruby 2.5.0dev (2017-08-03) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000c40 (none) [FINISH]


-- Machine register context ------------------------------------------------
 RIP: 0x0000564af314ea5d RBP: 0x0000564af459e378 RSP: 0x00007ffe96951370
 RAX: 0x0000000000001adc RBX: 0x0000564af37bb9e0 RCX: 0x0000564af37cccf0
 RDX: 0x0000000000000000 RDI: 0x0000564af459de28 RSI: 0x00007ffe969519b0
  R8: 0x0000000000000000  R9: 0x0000000000000001 R10: 0x0000564af468cc80
 R11: 0x0000000000000001 R12: 0x00007ffe969519b0 R13: 0x00007ffe96951780
 R14: 0x0000564af459de28 R15: 0xfffffffffffffffc EFL: 0x0000000000010206

-- C level backtrace information -------------------------------------------
XYZ/ruby/miniruby(rb_vm_bugreport+0x2b7) [0x564af34e2177] vm_dump.c:671
XYZ/ruby/miniruby(rb_bug_context+0x2e6) [0x564af319bc56] error.c:539
XYZ/ruby/miniruby(sigsegv+0x6e) [0x564af33a41de] signal.c:930
/lib/x86_64-linux-gnu/libpthread.so.0 [0x7f72a9761390]
XYZ/ruby/miniruby(defined_expr0+0x3d) [0x564af314ea5d] compile.c:3631
XYZ/ruby/miniruby(defined_expr0+0xc24) [0x564af314f644] compile.c:3737
XYZ/ruby/miniruby(defined_expr0+0x41d) [0x564af314ee3d] compile.c:3654
XYZ/ruby/miniruby(defined_expr0+0xb8e) [0x564af314f5ae] compile.c:3733
XYZ/ruby/miniruby(defined_expr0+0x41d) [0x564af314ee3d] compile.c:3654
XYZ/ruby/miniruby(defined_expr0+0xb8e) [0x564af314f5ae] compile.c:3733
XYZ/ruby/miniruby(defined_expr0+0xc24) [0x564af314f644] compile.c:3737
XYZ/ruby/miniruby(defined_expr0+0xc24) [0x564af314f644] compile.c:3737
XYZ/ruby/miniruby(defined_expr+0x4c) [0x564af314a8fc] compile.c:3807
XYZ/ruby/miniruby(compile_defined_expr+0x27a) [0x564af314cffa] compile.c:3839
XYZ/ruby/miniruby(iseq_compile_each0+0x3e13) [0x564af3132bb3] compile.c:6310
XYZ/ruby/miniruby(iseq_compile_each0+0xb52) [0x564af312f8f2] compile.c:4285
XYZ/ruby/miniruby(iseq_compile_each0+0xb52) [0x564af312f8f2] compile.c:4285
XYZ/ruby/miniruby(compile_array+0x6c5) [0x564af314b5e5] compile.c:4285
XYZ/ruby/miniruby(setup_args+0x52a) [0x564af314a5fa] compile.c:3996
XYZ/ruby/miniruby(iseq_compile_each0+0x9319) [0x564af31380b9] compile.c:5464
XYZ/ruby/miniruby(compile_array+0x6c5) [0x564af314b5e5] compile.c:4285
XYZ/ruby/miniruby(setup_args+0x52a) [0x564af314a5fa] compile.c:3996
XYZ/ruby/miniruby(iseq_compile_each0+0x9319) [0x564af31380b9] compile.c:5464
XYZ/ruby/miniruby(iseq_compile_each0+0x108f) [0x564af312fe2f] compile.c:4285
XYZ/ruby/miniruby(iseq_compile_each0+0xbe55) [0x564af313abf5] compile.c:4285
XYZ/ruby/miniruby(rb_iseq_compile_node+0x8e7) [0x564af311dd07] compile.c:4285
XYZ/ruby/miniruby(rb_iseq_new_with_opt+0xbf) [0x564af323d61f] iseq.c:505
XYZ/ruby/miniruby(rb_iseq_new_main+0x7b) [0x564af323dadb] iseq.c:475
XYZ/ruby/miniruby(ruby_process_options+0x1e90) [0x564af3397410] ruby.c:1727
XYZ/ruby/miniruby(ruby_options+0x1b6) [0x564af31ac526] eval.c:105
XYZ/ruby/miniruby(main+0x81) [0x564af30a1981] ./main.c:42

-- Other runtime information -----------------------------------------------

* Loaded script: ruby_null_ptr_defined_expr0

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so

* Process memory map:

564af307c000-564af35b6000 r-xp 00000000 fc:00 548227                     XYZ/ruby/miniruby
564af37b5000-564af37bb000 r--p 00539000 fc:00 548227                     XYZ/ruby/miniruby
564af37bb000-564af37bc000 rw-p 0053f000 fc:00 548227                     XYZ/ruby/miniruby
564af37bc000-564af37dd000 rw-p 00000000 00:00 0 
564af4575000-564af46af000 rw-p 00000000 00:00 0                          [heap]
7f72a7910000-7f72a7ad9000 r--s 00000000 fc:00 415265                     /lib/x86_64-linux-gnu/libc-2.23.so
7f72a7ad9000-7f72a8753000 r--s 00000000 fc:00 548227                     XYZ/ruby/miniruby
7f72a8753000-7f72a8769000 r-xp 00000000 fc:00 392981                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f72a8769000-7f72a8968000 ---p 00016000 fc:00 392981                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f72a8968000-7f72a8969000 rw-p 00015000 fc:00 392981                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f72a8969000-7f72a8c41000 r--p 00000000 fc:00 15064                      /usr/lib/locale/locale-archive
7f72a8c41000-7f72a8e01000 r-xp 00000000 fc:00 415265                     /lib/x86_64-linux-gnu/libc-2.23.so
7f72a8e01000-7f72a9001000 ---p 001c0000 fc:00 415265                     /lib/x86_64-linux-gnu/libc-2.23.so
7f72a9001000-7f72a9005000 r--p 001c0000 fc:00 415265                     /lib/x86_64-linux-gnu/libc-2.23.so
7f72a9005000-7f72a9007000 rw-p 001c4000 fc:00 415265                     /lib/x86_64-linux-gnu/libc-2.23.so
7f72a9007000-7f72a900b000 rw-p 00000000 00:00 0 
7f72a900b000-7f72a9113000 r-xp 00000000 fc:00 415260                     /lib/x86_64-linux-gnu/libm-2.23.so
7f72a9113000-7f72a9312000 ---p 00108000 fc:00 415260                     /lib/x86_64-linux-gnu/libm-2.23.so
7f72a9312000-7f72a9313000 r--p 00107000 fc:00 415260                     /lib/x86_64-linux-gnu/libm-2.23.so
7f72a9313000-7f72a9314000 rw-p 00108000 fc:00 415260                     /lib/x86_64-linux-gnu/libm-2.23.so
7f72a9314000-7f72a931d000 r-xp 00000000 fc:00 415247                     /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f72a931d000-7f72a951c000 ---p 00009000 fc:00 415247                     /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f72a951c000-7f72a951d000 r--p 00008000 fc:00 415247                     /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f72a951d000-7f72a951e000 rw-p 00009000 fc:00 415247                     /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f72a951e000-7f72a954c000 rw-p 00000000 00:00 0 
7f72a954c000-7f72a954f000 r-xp 00000000 fc:00 415254                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f72a954f000-7f72a974e000 ---p 00003000 fc:00 415254                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f72a974e000-7f72a974f000 r--p 00002000 fc:00 415254                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f72a974f000-7f72a9750000 rw-p 00003000 fc:00 415254                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f72a9750000-7f72a9768000 r-xp 00000000 fc:00 415248                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f72a9768000-7f72a9967000 ---p 00018000 fc:00 415248                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f72a9967000-7f72a9968000 r--p 00017000 fc:00 415248                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f72a9968000-7f72a9969000 rw-p 00018000 fc:00 415248                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f72a9969000-7f72a996d000 rw-p 00000000 00:00 0 
7f72a996d000-7f72a9993000 r-xp 00000000 fc:00 415243                     /lib/x86_64-linux-gnu/ld-2.23.so
7f72a9a62000-7f72a9a84000 r--s 00000000 fc:00 415248                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f72a9a84000-7f72a9b89000 rw-p 00000000 00:00 0 
7f72a9b8c000-7f72a9b8d000 ---p 00000000 00:00 0 
7f72a9b8d000-7f72a9b92000 rw-p 00000000 00:00 0 
7f72a9b92000-7f72a9b93000 r--p 00025000 fc:00 415243                     /lib/x86_64-linux-gnu/ld-2.23.so
7f72a9b93000-7f72a9b94000 rw-p 00026000 fc:00 415243                     /lib/x86_64-linux-gnu/ld-2.23.so
7f72a9b94000-7f72a9b95000 rw-p 00000000 00:00 0 
7ffe96156000-7ffe96955000 rw-p 00000000 00:00 0                          [stack]
7ffe969c9000-7ffe969cb000 r--p 00000000 00:00 0                          [vvar]
7ffe969cb000-7ffe969cd000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Files

ruby_null_ptr_defined_expr0 (210 Bytes) ruby_null_ptr_defined_expr0 PoC to trigger null pointer dereference (miniruby) fumfel (Kamil Frankowicz), 08/22/2017 12:35 PM
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0