Bug #10957
Updated by nobu (Nobuyoshi Nakada) over 9 years ago
Built ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux] from git source earlier this evening. This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl) and was compiled as follows: CC=afl-gcc ./configure && AFL_HARDEN=1 make -j8 && make install Valgrind: ~~~ ==41211== Invalid write of size 1 ==41211== at 0x827873: reserve_stack (thread_pthread.c:684) ==41211== by 0x842871: ruby_init_stack (thread_pthread.c:713) ==41211== by 0x1337E8: main (main.c:34) ==41211== Address 0x7fe8010e0 is on thread 1's stack ==41211== ==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010e0 ==41211== ==41211== Process terminating with default action of signal 11 (SIGSEGV) ==41211== Access not within mapped region at address 0x7FE8010E0 ==41211== at 0x827873: reserve_stack (thread_pthread.c:684) ==41211== If you believe this happened as a result of a stack ==41211== overflow in your program's main thread (unlikely but ==41211== possible), you can try to increase the size of the ==41211== main thread stack using the --main-stacksize= flag. ==41211== The main thread stack size used in this run was 8388608. ==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010d9 ==41211== ==41211== Process terminating with default action of signal 11 (SIGSEGV) ==41211== Access not within mapped region at address 0x7FE8010D9 ==41211== at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58) ==41211== If you believe this happened as a result of a stack ==41211== overflow in your program's main thread (unlikely but ==41211== possible), you can try to increase the size of the ==41211== main thread stack using the --main-stacksize= flag. ==41211== The main thread stack size used in this run was 8388608. Segmentation fault ~~~ GDB: ~~~ gdb-peda$ file ruby gdb-peda$ set args test00-min gdb-peda$ r [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7ffff6c00700 (LWP 48391)] Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x555556679f20 --> 0xd71c RBX: 0xd1 RCX: 0x0 RDX: 0x1 RSI: 0x0 RDI: 0x0 RBP: 0xd71c RSP: 0x7fffffffbe70 --> 0x7fff000000d1 RIP: 0x555555f312f8 (<ruby_yyparse+148344>: mov r11,QWORD PTR [rsi]) R8 : 0x5555566651c0 --> 0x555556678000 (0x00005555566651c0) R9 : 0x0 R10: 0x3900 ('') R11: 0xfffffffffffa360a R12: 0x555556679f20 --> 0xd71c R13: 0x7fffffffc120 --> 0x555556679f48 --> 0xb91c R14: 0x7fffffffbf6c --> 0x55befb3e026f021d R15: 0x555556402060 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555f312ee <ruby_yyparse+148334>: mov r12,rax 0x555555f312f1 <ruby_yyparse+148337>: mov QWORD PTR [rax],rbp 0x555555f312f4 <ruby_yyparse+148340>: mov rsi,QWORD PTR [r13-0x10] => 0x555555f312f8 <ruby_yyparse+148344>: mov r11,QWORD PTR [rsi] 0x555555f312fb <ruby_yyparse+148347>: and r11d,0x7f00 0x555555f31302 <ruby_yyparse+148354>: cmp r11,0x3900 0x555555f31309 <ruby_yyparse+148361>: jne 0x555555f0ee47 <ruby_yyparse+7879> 0x555555f3130f <ruby_yyparse+148367>: nop [------------------------------------stack-------------------------------------] 0000| 0x7fffffffbe70 --> 0x7fff000000d1 0008| 0x7fffffffbe78 --> 0x555500000000 ('') 0016| 0x7fffffffbe80 --> 0x7fffffffbf60 --> 0xe6004c00020000 0024| 0x7fffffffbe88 --> 0xd1 0032| 0x7fffffffbe90 --> 0xc8 0040| 0x7fffffffbe98 --> 0x0 0048| 0x7fffffffbea0 --> 0x7fffffffc0f0 --> 0x88cf9f52f8c4423 0056| 0x7fffffffbea8 --> 0x7fffffffbf60 --> 0xe6004c00020000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555555f312f8 in ruby_yyparse () at parse.y:2105 2105 if (nd_type($1) == NODE_LIT && FIXNUM_P($1->nd_lit) && gdb-peda$ exploit Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: 8e697703610f21a0a2aaec98723ec089.0b098a66d2dd0257594a0e5fb055f0de Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) Hexdump of the 7-byte test case: 0000000 2070 2928 2e2e 0030 0000007 System Info: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8