Giters

mruby / mruby

Lightweight Ruby

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Null pointer dereference involving Struct.new()

gwangmu opened this issue · comments

commented

Description

Another null-dereference was found in mrb_struct_to_h. In this case, all PoCs involved Struct.new(). We've attached all PoCs that we found that are suspected to have the same root cause.

Proof of Concept

$ mruby <poc_file>

poc.zip

Stack Trace

Below is the stack trace of the first PoC. The rest of PoCs exhibited more or less the same stack trace.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==70288==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55accf5b39c6 bp 0x7ffddceb8190 sp 0x7ffddceb7c80 T0)
==70288==The signal is caused by a READ memory access.
==70288==Hint: address points to the zero page.
    #0 0x55accf5b39c6 in mrb_struct_to_h struct.c
    #1 0x55accf3d9e3b in mrb_vm_exec (/workspaces/mruby/build/host/bin/mruby+0x2e8e3b) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #2 0x55accf3c621f in mrb_vm_run (/workspaces/mruby/build/host/bin/mruby+0x2d521f) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #3 0x55accf3c047e in mrb_top_run (/workspaces/mruby/build/host/bin/mruby+0x2cf47e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #4 0x55accf46fd1e in mrb_load_exec (/workspaces/mruby/build/host/bin/mruby+0x37ed1e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #5 0x55accf470db7 in mrb_load_detect_file_cxt (/workspaces/mruby/build/host/bin/mruby+0x37fdb7) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #6 0x55accf2c6e06 in main (/workspaces/mruby/build/host/bin/mruby+0x1d5e06) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #7 0x7f0b89ba4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7f0b89ba4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #9 0x55accf2058d4 in _start (/workspaces/mruby/build/host/bin/mruby+0x1148d4) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV struct.c in mrb_struct_to_h
==70288==ABORTING

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v3.2.0 (commit 15bb6a9, latest as of 2023-09-25)
v3.2.0 (commit 5956496)