New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed integer overflow in mrb_str_format #4062
Comments
|
The extra check added in 695f29c prevents the crash, but undefined behaviour is still invoked. This can be seen using UndefinedBehaviorSanitizer in clang: |
matz
added a commit
that referenced
this issue
Aug 25, 2018
ksekimoto
added a commit
to ksekimoto/mruby
that referenced
this issue
Jul 16, 2021
ksekimoto
added a commit
to ksekimoto/mruby
that referenced
this issue
Jul 16, 2021
ksekimoto
added a commit
to ksekimoto/mruby
that referenced
this issue
Jul 16, 2021
ksekimoto
added a commit
to ksekimoto/mruby
that referenced
this issue
Jul 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The check macro (in
/mrbgems/mruby-sprintf/src/sprintf.c) contains an signed integer overflow inbsize:bsiz*=2can become negative. However with-O2themrb_raiseis never triggered, sincebsizis a signed integer. Signed integer overflows are undefined behaviour and thusgccremoves the check.This results in negative integers being passed to
mrb_str_resize, which will set the string length without further checks. This can potentially result in a oversized string that allows to access arbitrary memory.In our experiments building with
gccin version5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)produces the vulnerable binary whileclanggenerated a safe executable.Reproduce:
Backtrace in
gdb:Credits:
This issue was reported by Sergej Schumilo, Daniel Teuchert and Cornelius Aschermann (https://hackerone.com/schumilo).
Impact
This results in negative integers being passed to
mrb_str_resize, which will set the string length without further checks. This can potentially result in a oversized string that allows to access arbitrary memory.The text was updated successfully, but these errors were encountered: