shopify-scripts: Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash

Using the same trick from 184661 with Proc leads to another crash, this time in Proc related functions. Again, haven't looked into it besides validity testing and an initial code lookup more detailed investigation + possible patches when there's more time on my side. Again, to give you guys the...

shopify-scripts: Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)

Hi, Slightly different one, this is a use after free as reported by an ASAN compiled binary. This one doesn't affect mruby-engine with the current instruction limit and memory limit, but if they are increased then it does. The file is: class Klazz def $thing.name [email protected]@thing.name nil end...

shopify-scripts: Denial of service due to invalid memory access in mrb_ary_concat

Hi, The following file causes a segmentation fault in mruby, which also causes a segmentation fault in mruby-engine. I've minimized this file down to the bare bones what crashes it, then renamed variables and tidied so you can see what is needed and what isn't. case "" when 0 end x case when true...

shopify-scripts: mruby-time: Crash host with uninitialized Time obj

So once again, another try ; As always hopefully unknown and valid ; Time::initializecopy performs its copy action even on Time objects on which initialize never ran, leading to a crash. The PoC crashes https://www.mruby.science/runs - didn't try Shopify production servers for the usual reasons. ...

shopify-scripts: Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift

Hi, Phew, this was a tricky one as the cause wasn't next door to where the dereference happened! The file causing this is: a case when nil redo end $ ./dev/bin/mruby --version mruby 1.2.0 2015-11-17 $ ./dev/bin/mruby crash.rb crash.rb:1:3: '' interpreted as argument prefix trace: 0 crash.rb:3...

shopify-scripts: Null pointer dereference in ary_concat

Hi, The following file causes a segmentation fault in mruby, which also causes a segmentation fault in mruby-engine. I've minimized this file down to the bare bones what crashes it, then renamed variables and tidied so you can see what is needed and what isn't. a=0 b=nil a.each do |a| a = case a...

shopify-scripts: Segmentation fault when a Ruby method is invoked by a C method via Object#send

We can arrange for C to call Objectsend by aliasing it over initialize. This will cause Classnew a C function to call initialize which is actually Objectsend with arbitrary arguments. If we invoke a Ruby method through Objectsend, mruby segfaults: def foo end class X aliasmethod :initialize, :sen...

shopify-scripts: Null target_class DoS

The Objectinstanceexec method in mrbgems/mruby-object-ext/src/object.c executes a block in the context of an object. It sets the VM's targetclass pointer to the singleton class of this object. targetclass is used as the definition target for constants and methods. If a singleton class cannot be...

shopify-scripts: Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop

Introduction ============ Certain invalid inputs invalid Ruby programs crash mruby and mrubyengine including the parent MRI VM. The programs always involve the ||= operator, loops and the break keyword. Proof of Concept ================ crash.rb -------- A ||= break while break 1. Save the above...

shopify-scripts: SIGSEGV on mruby's mark_tbl() (Invalid memory access)

There is an invalid memory access on mruby when calling to marktbl which causes a SIGSEGV and leads to denial of service. Sample The following code triggers the bug attached as marktbl.min2.rb: ruby t0me=% Array.new9t0me.empty?s=Array.new9%0 s=Array.dup.new23 Array0 Array0..6 Crash Here we can se...

shopify-scripts: SIGSEGV on mruby mrb_str_modify() (Invalid memory access)

There is an invalid memory read on mruby when calling to mrbstrmodify with a invalid RString which causes a SIGSEGV and leads to denial of service. Sample The following code triggers the bug attached as mrbstrmodify.min.rb: ruby def n if $0 end ""if 00end qqq=Proc.new|x|x.join qqq."",'...

shopify-scripts: Null pointer dereference due to TOCTTOU bug in mrb_time_initialize

mrbtimeinitialize sets the data pointer to NULL before parsing function arguments. Parsing function arguments can call out to ruby code to call methods to do type coercion. If the type coercion method tries to access the time object it will dereference a NULL pointer. The following snippet result...

shopify-scripts: Range constructor type confusion DoS

It's possible to crash mruby by redefining the Range class and then using the range literal syntax: Range = Array 1..2.inspect The mrbrangenew function allocates and initializes a range object backed by the RRange struct, however it uses runtime constant lookup to find the Range class object...

shopify-scripts: TOCTTOU bug in mrb_str_setbyte leading the memory corruption

The Stringsetbyte function caches the length of the string before loading the function arguments. Loading function arguments through mrbgetargs can call into ruby code to run type conversion methods toi, tos and the like. A malicious conversion method is able to force the string to be reallocated...

shopify-scripts: Struct type confusion RCE

Heya! I've been poking at mruby a bit more and I've found a vulnerability that allows an attacker to take control of the instruction pointer. I've attached a proof of concept script that when run in mruby will jump to 0x0000133713371337 and segfault. While the proof of concept script just jumps t...

shopify-scripts: SIGSEGV when invalid argument on remove_method

There is an invalid memory read on mruby when calling to removemethod with invalid arguments which causes a SIGSEGV which leads into denial of service. Sample The following code tries to remove a method using a nil as argument ruby class Child removemethod nil end There are many other variants,...

shopify-scripts: Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference

Introduction ============ Certain valid Ruby programs are able to cause a segmentation fault in mruby through a null pointer derefence, which in turn leads to a crash in mrubyengine and the parent MRI Ruby process. Proof of concept ================ crash.rb: --------- def method yield end method&...

shopify-scripts: Undefined method_missing null pointer dereference

It's possible to segfault mruby by undefining BasicObjectmethodmissing in certain cases. There is a fallback methodmissing C function mrbmethodmissing which is called in some cases when the VM fails to look up the methodmissing method: BasicObject.removemethod:methodmissing; 1.foo NoMethodError:...

shopify-scripts: Range#initialize_copy null pointer dereference

Heya! It's possible to segfault mruby through mruby-engine with the following snippet of code: Range.removemethod:initializecopy 1..2.dup.tos This can be triggered through mruby-engine like this: MRubyEngine.new5121024, 1000, 1000.sandboxeval"/tmp", % Range.removemethod:initializecopy 1..2.dup.to...

shopify-scripts: Use after free vulnerability in mruby Array#to_h causing DOS possible RCE

This bug was found with jmlb337. Vulnerability The function toh will call the C function mrbarytoh. This will iterate through the elements of the array. If an element is not of type Array it will call attempt to call toary method of that object. If toary does not return an array, the function wil...