-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Untrusted Pointer Dereference in mrb_vm_exec() #5613
Comments
|
The cause of this problem has to do with the If reentrants are allowed, at least two modifications are needed:
If reentrancy is not allowed, we need to replace |
ref. mruby#5613 I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`. Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated.
ref. mruby#5613. I mentioned in mruby#5540 that there was no reentrant to the virtual machine, but in fact it was still a possibility at that point. Also, the variable `ci` needs to be recalculated at the same time.
[iwamatsu] Backport to 3.0.0 without mrbgems/mruby-array-ext/src/array.c Reference: CVE-2021-46020 Reference: mruby#5613 Reference: mruby@a137ef1 Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>
ref. mruby#5613. I mentioned in mruby#5540 that there was no reentrant to the virtual machine, but in fact it was still a possibility at that point. Also, the variable `ci` needs to be recalculated at the same time. [iwamatsu] backport to 3.0.0. This commit had been reverted by mruby@dfa21f2 in upstream. But However, this is because MR mruby#5622 merged the function. The patch is valid. Reference: CVE-2021-46020 Reference: mruby#5613 Reference: mruby@d3b7601 Reference: mruby#5620 Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Untrusted Pointer Dereference in mrb_vm_exec()
Description
An Untrusted Pointer Dereference was discovered in mrb_vm_exec(). The vulnerability causes a segmentation fault and application crash.
version
6de0fcb
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
Proof of Concept
poc
command:
Result
gdb
The text was updated successfully, but these errors were encountered: