You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A segfault in in ht_index_get function in src/hash.c:425 due to a high-value address dereference is triggered from a call to it by ht_get function in src/hash.c:445. The bug can be detected on Ubuntu-18.04 64-bit with ASAN-enabled mruby. It has been reproduced with mruby compiled with different compiler toolchains: clang-9, clang-10, gcc-7.5. This vulnerability causes the mruby interpreter to crash. The POC input and steps to reproduce are provided below.
git clone https://github.com/mruby/mruby
cd mruby
CC=clang LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address -g" make -j`nproc`
./bin/mruby poc.rb
ASAN Report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4075==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000704498 bp 0x7ffccca696b0 sp 0x7ffccca69480 T0)
==4075==The signal is caused by a READ memory access.
==4075==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x704498 in ht_index_get /tmp/mruby/src/hash.c:425:10
#1 0x6f59d6 in ht_get /tmp/mruby/src/hash.c:445:12
#2 0x6f7855 in mrb_hash_fetch /tmp/mruby/src/hash.c:740:7
#3 0x7a564d in hash_slice /tmp/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c:62:11
#4 0x5b9c59 in mrb_vm_exec /tmp/mruby/src/vm.c:1446:18
#5 0x5a9494 in mrb_vm_run /tmp/mruby/src/vm.c:944:12
#6 0x600d4f in mrb_top_run /tmp/mruby/src/vm.c:2845:12
#7 0x641d2d in mrb_load_exec /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6512:7
#8 0x642a3d in mrb_load_file_cxt /tmp/mruby/mrbgems/mruby-compiler/core/parse.y:6521:10
#9 0x4c58cf in main /tmp/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:331:11
#10 0x7fe65764cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41c009 in _start (/tmp/mruby/bin/mruby+0x41c009)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/mruby/src/hash.c:425:10 in ht_index_get
==4075==ABORTING
A segfault in in
ht_index_getfunction insrc/hash.c:425due to a high-value address dereference is triggered from a call to it byht_getfunction insrc/hash.c:445. The bug can be detected on Ubuntu-18.04 64-bit with ASAN-enabled mruby. It has been reproduced with mruby compiled with different compiler toolchains:clang-9, clang-10, gcc-7.5. This vulnerability causes the mruby interpreter to crash. The POC input and steps to reproduce are provided below.POC Input
Steps to reproduce
ASAN Report
Authors
Prashast Srivastava (Purdue University) , Mathias Payer (EPFL)
The text was updated successfully, but these errors were encountered: