MAL-2025-26829 Malicious code in mruby_engine (npm)

The package mrubyengine was found to contain malicious code...

Malicious code in mruby_engine (npm)

The package mrubyengine was found to contain malicious code...

shopify-scripts: Null pointer dereference in OP_ENTER

PoC === The following demonstrates a crash: class A def foo end end class B argv = ary-ptr; gdb p ary $1 = struct RArray 0x0 Test platform ============= Linux Mint 17.3 Cinnamon 64-bit, built with gcc version 4.8.4 Ubuntu 4.8.4-2ubuntu114.04.3 mruby SHA: a14a930c800aa50a191922580d53a2ce09287912...

shopify-scripts: Crash in ary_concat()

The code above raises a segmentation fault both in mruby and mruby-engine N case when nil -do end def eend end ASAN report : line 1:3: '' interpreted as argument prefix ASAN:SIGSEGV ================================================================= ==111090==ERROR: AddressSanitizer: SEGV on unknow...

shopify-scripts: Use-after-free leading to an invalid pointer dereference

PoC === The following code demonstrates a crash: class A rescue Struct.new.new.toh end end Discussion ========== mruby crashes due to an invalid pointer dereference in vm.c:1692: 1689│ LRESCUE: 1690│ if ci-ridx == 0 goto LSTOP; 1691│ proc = ci-proc; 1692├ irep = proc-body.irep; gdb print ci-proc ...

shopify-scripts: Null pointer dereference in mrb_class

The following code demonstrates a segfault in mruby and mruby-engine: module A module A ensure module A module A module A module A ensure module A module A module A module A module A module A a ensure module A yield end end end end end end end end end end end end end The mruby crash is due to a...

shopify-scripts: Null pointer dereference in mark_context_stack

The following code causes a segfault in mruby and mruby-engine: class A rescue "" end end mruby crashes due to a null pointer dereference in markcontextstack gc.c:554: 553│ if !mrbimmediatepv 554├ if mrbbasicptrv-tt == MRBTTFREE 555│ c-stbasei = mrbnilvalue; gdb print v $1 = value = f = 0, p = 0x...

shopify-scripts: A crash when an exception is caught in a caller and the receiver returned from `ensure`

This snippet crashes when ran by ./bin/sandbox: ruby class A def foo pr = proc return 1 begin doesnotexist ensure pr end end end begin A.new.foo rescue end Crash details: ./bin/sandbox:20: BUG Segmentation fault at 0x0000000000000e ruby 2.3.1p112 2016-04-26 revision 54768 x8664-linux -- Control...

shopify-scripts: Denial of service (segfault) due to null pointer dereference in mrb_vm_exec

Introduction ============ Provided PoC segfaults at mrbvmexec due to null pointer dereference. Proof of concept ================ Attached the poc. Crash report ============ ./sandbox vmexec.rb ./sandbox:20: BUG Segmentation fault at 0x00000000000000 ruby 2.3.1p112 2016-04-26 x8664-linux-gnu --...

shopify-scripts: Crash in print_backtrace

This crash does not affect mruby-engine because it does not print the back trace in guest. We can control the register by setting a backtrace array. PoC ruby exc = Exception.new exc.setbacktrace0x41414141 raise exc GDB $ gdb -q --args ./bin/mruby test12.rb Reading symbols from ./bin/mruby...done...

shopify-scripts: Certain inputs cause tight C-level recursion leading to process stack overflow

Introduction ============ Certain legal Ruby programs can cause a tight recursion on the C-level without using eval while spending very little of the Ruby-level stack. This precludes triggering a Ruby stack overflow exception and eventually leads to a process stack overflow and a segfault. Both...

shopify-scripts: Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash

Using the same trick from 184661 with Proc leads to another crash, this time in Proc related functions. Again, haven't looked into it besides validity testing and an initial code lookup more detailed investigation + possible patches when there's more time on my side. Again, to give you guys the...

shopify-scripts: Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)

Hi, Slightly different one, this is a use after free as reported by an ASAN compiled binary. This one doesn't affect mruby-engine with the current instruction limit and memory limit, but if they are increased then it does. The file is: class Klazz def $thing.name [email protected]@thing.name nil end...

shopify-scripts: Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop

Introduction ============ Certain invalid inputs invalid Ruby programs crash mruby and mrubyengine including the parent MRI VM. The programs always involve the ||= operator, loops and the break keyword. Proof of Concept ================ crash.rb -------- A ||= break while break 1. Save the above...

shopify-scripts: Null pointer dereference due to TOCTTOU bug in mrb_time_initialize

mrbtimeinitialize sets the data pointer to NULL before parsing function arguments. Parsing function arguments can call out to ruby code to call methods to do type coercion. If the type coercion method tries to access the time object it will dereference a NULL pointer. The following snippet result...

shopify-scripts: TOCTTOU bug in mrb_str_setbyte leading the memory corruption

The Stringsetbyte function caches the length of the string before loading the function arguments. Loading function arguments through mrbgetargs can call into ruby code to run type conversion methods toi, tos and the like. A malicious conversion method is able to force the string to be reallocated...

shopify-scripts: Range#initialize_copy null pointer dereference

Heya! It's possible to segfault mruby through mruby-engine with the following snippet of code: Range.removemethod:initializecopy 1..2.dup.tos This can be triggered through mruby-engine like this: MRubyEngine.new5121024, 1000, 1000.sandboxeval"/tmp", % Range.removemethod:initializecopy 1..2.dup.to...

shopify-scripts: Denial of Service in mruby due to null pointer dereference

Hi, The following file causes a segmentation fault in mruby, which also causes a segmentation fault in mruby-engine. I've minimized this file down to the bare bones what crashes it, and renamed variables so you can see what is needed and what isn't. a="any splat operator", case "any object or nil...