Source: mruby
Version: 1.0.0+20141015+gitb4cc962c-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/mruby/mruby/issues/3995
Hi,
The following vulnerability was published for mruby.
CVE-2018-10191[0]:
| In versions of mruby up to and including 1.4.0, an integer overflow
| exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the
| presence of deep scope nesting, resulting in a use-after-free. An
| attacker that can cause Ruby code to be run can use this to possibly
| execute arbitrary code.
Demostrable/verifiable with an ASAN build of mruby:
dummy@sid:~$ ./mruby-1.4.0/bin/mruby ./use_after_free.rb
=================================================================
==3180==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000014100
at pc 0x0000004a77c3 bp 0x7ffef79d70d0 sp 0x7ffef79d70c8
READ of size 16 at 0x625000014100 thread T0
#0 0x4a77c2 in mrb_vm_exec src/vm.c:1196
#1 0x4ac408 in mrb_vm_run src/vm.c:935
#2 0x52df53 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:5840
#3 0x404036 in main mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
#4 0x7ffb5b242a86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#5 0x405b89 in _start (/home/dummy/mruby-1.4.0/bin/mruby+0x405b89)
Address 0x625000014100 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/vm.c:1196 in mrb_vm_exec
Shadow bytes around the buggy address:
0x0c4a7fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffa820:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3180==ABORTING
dummy@sid:~$
dummy@sid:~$ ./mruby-1.4.0/bin/mruby ./null_ptr_deref.rb
/root/mruby-1.4.0/src/class.c:94:11: runtime error: member access within null
pointer of type 'struct RClass'
ASAN:DEADLYSIGNAL
=================================================================
==3189==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x0000004b03b3 bp 0x7ffe636d25b0 sp 0x7ffe636d2560 T0)
==3189==The signal is caused by a READ memory access.
==3189==Hint: address points to the zero page.
#0 0x4b03b2 in prepare_singleton_class src/class.c:94
#1 0x4c18da in mrb_singleton_class src/class.c:1320
#2 0x4858fa in mrb_vm_exec src/vm.c:2895
#3 0x4ac408 in mrb_vm_run src/vm.c:935
#4 0x52df53 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:5840
#5 0x404036 in main mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
#6 0x7fe21ffe5a86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#7 0x405b89 in _start (/home/dummy/mruby-1.4.0/bin/mruby+0x405b89)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/class.c:94 in prepare_singleton_class
==3189==ABORTING
dummy@sid:~$
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10191
[1] https://github.com/mruby/mruby/issues/3995
Regards,
Salvatore
