New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Untrusted Pointer Dereference in mrb_vm_exec() #5613
Comments
|
The cause of this problem has to do with the If reentrants are allowed, at least two modifications are needed:
If reentrancy is not allowed, we need to replace |
ref. mruby#5613 I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`. Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated.
ref. mruby#5613. I mentioned in mruby#5540 that there was no reentrant to the virtual machine, but in fact it was still a possibility at that point. Also, the variable `ci` needs to be recalculated at the same time.
Untrusted Pointer Dereference in mrb_vm_exec()
Description
An Untrusted Pointer Dereference was discovered in mrb_vm_exec(). The vulnerability causes a segmentation fault and application crash.
version
6de0fcb
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
Proof of Concept
poc
command:
Result
gdb
The text was updated successfully, but these errors were encountered: