You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A heap buffer overflow exists in mrb_yield_with_class function in src/vm.c:767 triggered via stack_copy. The bug can be detected on Ubuntu-18.04 64-bit with ASAN-enabled mruby. It has been reproduced with mruby compiled with different compiler toolchains: clang-9, clang-10, gcc-7.5. The POC input and steps to reproduce are provided below.
git clone https://github.com/mruby/mruby
cd mruby
CC=clang LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address -g" make -j`nproc`
./bin/mruby poc.rb
ASAN Report
=================================================================
==9655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d20 at pc 0x000000493c50 bp 0x7ffca1f00c60 sp 0x7ffca1f00428
WRITE of size 16 at 0x621000004d20 thread T0
#0 0x493c4f in __asan_memcpy (/tmp/mruby/bin/mruby+0x493c4f)
#1 0x59be83 in stack_copy /tmp/mruby/src/vm.c:123:14
#2 0x5a6acf in mrb_yield_with_class /tmp/mruby/src/vm.c:767:5
#3 0x7e0c8f in mcall /tmp/mruby/mrbgems/mruby-method/src/method.c:131:11
#4 0x7dacb2 in method_call /tmp/mruby/mrbgems/mruby-method/src/method.c:148:10
#5 0x5b9819 in mrb_vm_exec /tmp/mruby/src/vm.c:1437:18
#6 0x5a9054 in mrb_vm_run /tmp/mruby/src/vm.c:935:12
#7 0x60090f in mrb_top_run /tmp/mruby/src/vm.c:2836:12
#8 0x6418ed in mrb_load_exec /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6512:7
#9 0x6425fd in mrb_load_file_cxt /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6521:10
#10 0x4c58cf in main /tmp/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:331:11
#11 0x7f7459aaeb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41c009 in _start (/tmp/mruby/bin/mruby+0x41c009)
0x621000004d20 is located 0 bytes to the right of 4128-byte region [0x621000003d00,0x621000004d20)
allocated by thread T0 here:
#0 0x494a69 in realloc (/tmp/mruby/bin/mruby+0x494a69)
#1 0x612045 in mrb_default_allocf /tmp/mruby/src/state.c:68:12
#2 0x5249ab in mrb_realloc_simple /tmp/mruby/src/gc.c:211:8
#3 0x524fc4 in mrb_realloc /tmp/mruby/src/gc.c:225:8
#4 0x59b3d9 in stack_extend_alloc /tmp/mruby/src/vm.c:205:27
#5 0x59af08 in mrb_stack_extend /tmp/mruby/src/vm.c:226:5
#6 0x5a8f1d in mrb_vm_run /tmp/mruby/src/vm.c:932:3
#7 0x60090f in mrb_top_run /tmp/mruby/src/vm.c:2836:12
#8 0x6418ed in mrb_load_exec /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6512:7
#9 0x6425fd in mrb_load_file_cxt /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6521:10
#10 0x4c58cf in main /tmp/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:331:11
#11 0x7f7459aaeb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/mruby/bin/mruby+0x493c4f) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c427fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff89a0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9655==ABORTING
A heap buffer overflow exists in
mrb_yield_with_class
function insrc/vm.c:767
triggered viastack_copy
. The bug can be detected on Ubuntu-18.04 64-bit with ASAN-enabled mruby. It has been reproduced with mruby compiled with different compiler toolchains:clang-9, clang-10, gcc-7.5
. The POC input and steps to reproduce are provided below.POC Input
Steps to reproduce
ASAN Report
Authors
Prashast Srivastava (Purdue University) , Mathias Payer (EPFL)
The text was updated successfully, but these errors were encountered: