783 matches found
shopify-scripts: Invalid Pointer Reference from OP_RESCUE
@ssarong reported a null pointer dereference in MRuby: https://github.com/mruby/mruby/issues/3518 This issue was fixed in https://github.com/mruby/mruby/commit/75c374cad330e2c99ceb7e1ca083523a7651e753...
shopify-scripts: Heap buffer overflow in mruby value_move
Hi: The following program demonstrates heap overflow on current up-to-date master branch mruby at the time of report, Latest commit 8b089c0 Program lead to crash is d 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0...
shopify-scripts: Null pointer dereference in mark_context_stack
The following code causes a segfault in mruby and mruby-engine: class A rescue "" end end mruby crashes due to a null pointer dereference in markcontextstack gc.c:554: 553│ if !mrbimmediatepv 554├ if mrbbasicptrv-tt == MRBTTFREE 555│ c-stbasei = mrbnilvalue; gdb print v $1 = value = f = 0, p = 0x...
shopify-scripts: Memory corrouption in mrb_gc_mark
The memory corruption in mrbgcmark function can lead to code execution or at least DoS on mruby. PoC attached. Crash debug mr@minhrau $ ./mrubylatest/mruby/build/bench/bin/mruby ./mruby/fuzz03/crashes/mrbgcmark.rb Reading symbols from ./mrubylatest/mruby/build/bench/bin/mruby...done. gdb r...
shopify-scripts: Heap Buffer Overflow while processing OP_SEND
@ssarong reported a heap buffer overflow in MRuby: https://github.com/mruby/mruby/issues/3475 This issue was fixed in https://github.com/mruby/mruby/commit/8b089c09f7ddaa513d14c84a04e050abc17b01b3...
shopify-scripts: mruby heap use-after-free
By doing some fuzzing against mruby, I spot this vulnerability, The source code should be compiled with AddressSanitizer, Here is the vulnerable code : class NoMethodError NameError def initializemessage=nil, name=nil, args=nil @args = ar super message,&name end end class StopIteration r :result...
shopify-scripts: Use After Free in mrb_vm_exec
@ssarong reported the following crash in MRuby: https://github.com/mruby/mruby/issues/3465 The issue was patched in https://github.com/mruby/mruby/commit/9e93d5dbf0c96cbf5cc0bc5a9c5f734248d7c37b...
shopify-scripts: Heap Buffer overflow in mrb_ary_unshift
@ssarong reported the following crash in MRuby: https://github.com/mruby/mruby/issues/3464 This issue was patched in https://github.com/mruby/mruby/commit/50bbdbb11b1cecd2843db2825cab4081893047c1...
shopify-scripts: A crash when an exception is caught in a caller and the receiver returned from `ensure`
This snippet crashes when ran by ./bin/sandbox: ruby class A def foo pr = proc return 1 begin doesnotexist ensure pr end end end begin A.new.foo rescue end Crash details: ./bin/sandbox:20: BUG Segmentation fault at 0x0000000000000e ruby 2.3.1p112 2016-04-26 revision 54768 x8664-linux -- Control...
shopify-scripts: segafult in mruby's sprintf - mrb_str_format
The mruby sprintf gem out of scope of mruby-engine can be crashed when using a hostile "width" value in the format string. Exploit Script =========== ruby s = "hello" sprintf"abcdefghijklmnopqrstuvwxyz % 2147483640s", s Here is the core dump: Core was generated by...
shopify-scripts: Denial of service (segfault) due to null pointer dereference in mrb_vm_exec
Introduction ============ Provided PoC segfaults at mrbvmexec due to null pointer dereference. Proof of concept ================ Attached the poc. Crash report ============ ./sandbox vmexec.rb ./sandbox:20: BUG Segmentation fault at 0x00000000000000 ruby 2.3.1p112 2016-04-26 x8664-linux-gnu --...
shopify-scripts: Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval
Introduction ============ Provided PoC segfaults at mrbobjinstanceeval due to null pointer dereference. Proof of concept ================ Attached the poc. Crash report ============ ./sandbox eval.rb ./sandbox:20: BUG Segmentation fault at 0x00000000000003 ruby 2.3.1p112 2016-04-26 x8664-linux-gn...
shopify-scripts: SIGSEGV - vm.c - line:1214
PoC ------------------- The following code triggers the bug attached as testmrbvmexec1214.rb: def test instanceexec do return toenum:==end ensure end test Debug - mirb ------------------- gdb r testmrbvmexec1214.rb Starting program: /home/x/Desktop/research/3fuzz/mruby/bin/mirb testmrbvmexec1214....
shopify-scripts: Segmentfault at mrb_vm_exec
@ssarong discovered an integer overflow in MRuby's code generator, which resulted in a crash. The issue was reported upstream in https://github.com/mruby/mruby/issues/3426 and fixed in https://github.com/mruby/mruby/commit/6e0ba0085d22b7751c46b178e841046483f0f6b4...
shopify-scripts: heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
The following code triggers a use-after-free when mruby is compiled with ASAN, on this code path: https://github.com/mruby/mruby/blob/master/src/gc.cL762 POC va0ue0=0,0,0,0 u= h= va0ue0.each do va0ue0.uniq!do va0ue0.zip va0ue0.each do v do% end end end end ASAN output:...
shopify-scripts: Incorrect code generation with redo inside NODE_RESCUE.
The following code causes mruby to use up all available memory: class A redo rescue c end Following the execution, we see the code in codegen.c jumping between CASEOPONERR and CASEOPJMP. CASEOPONERR uses realloc to double the size of mrb-c-rescue, and since it is stuck in an infinite loop between...
shopify-scripts: Crash in print_backtrace
This crash does not affect mruby-engine because it does not print the back trace in guest. We can control the register by setting a backtrace array. PoC ruby exc = Exception.new exc.setbacktrace0x41414141 raise exc GDB $ gdb -q --args ./bin/mruby test12.rb Reading symbols from ./bin/mruby...done...
shopify-scripts: SIGSEGV - mrb_obj_extend - line:413
PoC: ------------------- The following code triggers the bug attached as testmrbobjextend413.rb: module Test end def methodmissingsextendTestend def setva.set0end set0 Mirb - Debug: ------------------- gdb r testmrbobjextend413.rb The program being debugged has been started already. Start it from...
shopify-scripts: SIGSEGV - mrb_vm_exec - line:1681
PoC: ------------------- The following code triggers the bug attached as testmrbvmexec1681.rb: def try yield ensure yield end a=lambda do a.try do return end end.call Mirb - Debug: ------------------- gdb r testmrbvmexec1678.rb The program being debugged has been started already. Start it from th...
shopify-scripts: Heap Buffer overflow in mrb_funcall_with_block
@ssarong discovered a heap buffer overflow vulnerability in MRuby. The issue was reported upstream in https://github.com/mruby/mruby/issues/3398 and fixed in https://github.com/mruby/mruby/commit/a3571240e5fdbdac9210be27e2445e3f82239f44...