shopify-scripts: Segmentation fault on program counter

Mruby running on linux x64 gcc version 4.8.4 Ubuntu 4.8.4-2ubuntu114.04.3 poc for i in methods Kernel.initialize.publicmethods print print %i0 0 0 0end output ----------------------------------registers----------------------------------- RAX: 0x6b0e00 -- 0x80101 RBX: 0x6bef20 -- 0x6b73d0 -- 0x210...

shopify-scripts: Clearing , Shifting and Pop Value from Frozen Array

Hey again! Founded another missing best practice in mruby. That allow an attacker to Delete pop or clear the Frozen ARRAY. This report is similar to 194866 POC === $a = 1,2,3,4,5.freeze $a.pop "= This will give 5 and $a will become 1,2,3,4" $a.shift "= This will give 1 and $a will become 2,3,4,5"...

shopify-scripts: Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH

Hey! while reviewing mruby for vulnerabilities, I stumble onto a snippet that allow an attacker to delete "key-value Pair" from a "Frozen" Hash or to clear the "Frozen" HASH. Reproduction Step ============= 1. Create a Hash like h = "a" = 100, "b" = 200 2. Freeze this hash 3. Now call delete meth...

shopify-scripts: SIGSEGV - kh_resize_iv - Null Deref

PoC --------------------- The following code triggers the bug attached as khresizeiv.rb: l t'',''doend s'',''do.end d t''do.end a=Array.new a.=102,0 € s a.tos a a.tos a.i Debug - mirb --------------------- gdb r khresizeiv.rb Starting program: /home/x/Desktop/research/mruby/bin/mirb khresizeiv.rb...

shopify-scripts: attempting double-free using the mruby compiler `mrbc`

I cloned the mruby git 4 days ago, started fuzzing with American Fuzzy Lop. This is the 1st crash. ./mrbc test000 codegen error:test000:1: too complex expression ================================================================= ==12142==ERROR: AddressSanitizer: attempting double-free on...

shopify-scripts: SIGSEGV Null Pointer mrb_str_concat()

Sample --------------------- The following code triggers the bug attached as mrbstrconcat.rb: a=String.new a.concata Crash --------------------- x@x:/Desktop/research/mruby-engine/bin$ ./mruby-engine-mirb mirb - Embeddable Interactive Ruby Shell a=String.new a.concata = "" Segmentation fault Debu...

shopify-scripts: heap-buffer-overflow on mruby

Test case: A = 'z' C = 'a','a','a','a','a','a','a','a','a','a' I = C,'a','a','a','a','a','a','a','a','a' J = I,'a','a','a','a','a','a','a','a','a' M = A,A,A,J for a in M do AA end IMPACT ASAN report this as heap-buffer-overflow, and it crashed on 0 memcpysse2unaligned at...

shopify-scripts: Integer Overflow in mrb_ary_set

Hi, I found a crash in mruby. I frankly couldn't reproduce it in mruby-engine. I think it is because of memory limitation, but I'm not sure. Here is a PoC when the size of MRBINT is 32. ruby ary = Array.new0 ary0x7fffffff = 1 $ gdb -q --args ./bin/mruby ./test.rb Reading symbols from...

Ruby: Buffer underflow in sprintf

Hi, So I found this in mruby as part of the shopify-scripts program, and I notice that my patch also landed upstream in ruby as well. Shame on me for not checking ruby as well! Wondered if it counted for a bounty here as well? https://github.com/mruby/mruby/issues/3347 - issue that shopify guys...

shopify-scripts: SIGSEGV on mruby mrb_get_args()

There is invalid memory read on mruby when calling to mrbgetargs with invalid RArray which causes a SIGSEGV to denial of service. The following code triggers the bug attached as mrbgetargs.rb: l...

shopify-scripts: Invalid memory access in `mrb_str_format`

Only affects mruby because mruby-engine doesn't have sprintf. I should have filed this last friday before I went to the pub, so missed out on higher bounties. Oh well! Crash file is: sprintf"%1$c", 0 Crash is: $ lldb ./bin/mruby ../crash.rb lldb target create "./bin/mruby" Current executable set ...

shopify-scripts: Segfault when passing invalid values to `values_at`

Introduction ============ Passing primitive non-Fixnum values to the valuesat method of Struct and Range leads to a segfault in both mruby and mruby-engine/parent Ruby process. Proof of concept ================ list-crash.rb ------------- .valuesat true struct-crash.rb ---------------...

shopify-scripts: Certain inputs cause tight C-level recursion leading to process stack overflow

Introduction ============ Certain legal Ruby programs can cause a tight recursion on the C-level without using eval while spending very little of the Ruby-level stack. This precludes triggering a Ruby stack overflow exception and eventually leads to a process stack overflow and a segfault. Both...

shopify-scripts: Buffer overflow in mrb_time_asctime

Hi, This one doesn't always crash every time, but with ASAN on it will. Crash file is: Time.new-0XD00000000000000&0 But you could always do Time.atsec,usec with special values, and basically anything that gets tos called mrbtimeasctime in C in this case, no method found exception does this. Crash...

shopify-scripts: Segmentation fault due to bad memory access in kh_get_mt

Crash file is: values=0,0,0,0 unusedbutneeded= Hash= values.each do values.each do values & values.each do values.each do % 0=nil end end end end $ ./dev/bin/mruby crash.rb Segmentation fault: 11 $ lldb ./dev/bin/mruby crash.rb lldb target create "./dev/bin/mruby" Current executable set to...

shopify-scripts: Null pointer derefence due to bug in codegen with negation without using value

Crash file is: p case when nil -0 nil end $ ./dev/bin/mruby crash.rb crash.rb:1:3: '' interpreted as argument prefix Segmentation fault: 11 $ lldb ./dev/bin/mruby crash.rb lldb target create "./dev/bin/mruby" Current executable set to './dev/bin/mruby' x8664. lldb settings set -- target.run-args...

shopify-scripts: Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox

Introduction ============ Certain invalid Ruby programs which should normally raise a syntax error are able to cause an infinite loop in MRuby's parser which makes the mruby-engine sandbox and consequently the MRI process it is running in unresponsive to SIGTERM. The process begins looping foreve...

shopify-scripts: Invalid memory write caused by incorrect upper bound in array_copy

Ok, here is a weird one! It only crashes in mruby, and can't be made to crash in mruby-engine as max memory possible to extend to is 256M which this requires more. The file is: values = 3,5,8 test = 1,6 results,= 1.2 values.each do |value| case value when test results 0x10000222d : movq %rdx, %ra...

shopify-scripts: Crash: Initialize Decimal with itself triggers an assertion

When Decimal is initialized with itself, a new empty mpdt will be created. To fill it with a value, tos of the current instance is called, which accesses the empty mpdt. This triggers an assertion, which leads to a crash. Patch I've created and attached a simple patch which just returns self when...

shopify-scripts: Null pointer dereference regression in parse.y

Hi, Just pulled the latest mruby code, and found that some of my fuzzing test cases now crash. Bisected it to commit 227daa881137d5251e03eea0883b9b574a1f064e. Reverting this change no longer causes a crash. The minimised file causing the crash is: f Also affects mruby-engine. Cheers, Hugh...