Denial of service in mruby/mruby

Valid

Reported on

May 4th 2022

Affected commit

49b8cef31f01c0d88d874e17714dff1fa5b85df0

Proof of Concept

raise SystemStackError.new BasicObject.new

Expected:

Raise exception without abort the software

Case output:

root:~/mruby/mruby/bin# ./mruby poc.rb 
poc.rb:1: can't convert BasicObject into String (TypeError)
Aborted

Test Platform:

Ubuntu 18.04

Acknowledgements

This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung

Impact

Denial of service

Occurrences

error.c L204

We are processing your report and will contact the mruby team within 24 hours. a year ago

We have contacted a member of the mruby team and are waiting to hear back a year ago

Yukihiro "Matz" Matsumoto modified the Severity from Critical to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Yukihiro "Matz" Matsumoto validated this vulnerability a year ago

This is a bug, but to use it as a security vulnerability, it requires: (a) use libmruby to sandbox untrusted input (e.g. mruby-engine) (b)enable MRB_USE_STDIO which is fundamentally more dangerous for untrusted input

Considering those requirements, I mark this as low

wwkenwong has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit 457abf a year ago

Yukihiro "Matz" Matsumoto has been awarded the fix bounty

This vulnerability will not receive a CVE

error.c#L204 has been validated

to join this conversation