Null pointer dereference in mrb_addrinfo_unix_path

[gwangmu]

Description

We found a null pointer dereference when mruby handles the Addrinfo class (in mrb_addrinfo_unix_path). The trigger cases only required allocating Addrinfo and using the object in one way or another. The crash was originally discovered in commit 5956496 but was still reproducible in the latest commit (as of 2023-09-16, f041d3a).

poc.zip

Proof of Concept

$ mruby <poc_file>

poc.zip

Stack Trace

We've attached the stack trace from the first poc for reference.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==57358==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5589e9cfa372 bp 0x7ffc1ed24bd0 sp x7ffc1ed247c0 T0)
==57358==The signal is caused by a READ memory access.
==57358==Hint: address points to the zero page.
    #0 0x5589e9cfa372 in mrb_addrinfo_unix_path socket.c
    #1 0x5589e9af6cb3 in mrb_vm_exec (/workspaces/mruby/build/host/bin/mruby+0x2e8cb3) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #2 0x5589e9ae311f in mrb_vm_run (/workspaces/mruby/build/host/bin/mruby+0x2d511f) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #3 0x5589e9adb47a in mrb_run vm.c
    #4 0x5589e9ad8776 in mrb_funcall_with_block (/workspaces/mruby/build/host/bin/mruby+0x2ca776) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #5 0x5589e9ad66e2 in mrb_funcall_argv (/workspaces/mruby/build/host/bin/mruby+0x2c86e2) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #6 0x5589e9a72ad7 in mrb_inspect (/workspaces/mruby/build/host/bin/mruby+0x264ad7) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #7 0x5589e9a2efde in mrb_vformat (/workspaces/mruby/build/host/bin/mruby+0x220fde) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #8 0x5589e9a30c98 in error_va error.c
    #9 0x5589e9a30b00 in mrb_raisef (/workspaces/mruby/build/host/bin/mruby+0x222b00) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #10 0x5589e9a381b7 in mrb_obj_to_sym (/workspaces/mruby/build/host/bin/mruby+0x22a1b7) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #11 0x5589e9a23cf5 in mrb_mod_undef class.c
    #12 0x5589e9af6cb3 in mrb_vm_exec (/workspaces/mruby/build/host/bin/mruby+0x2e8cb3) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #13 0x5589e9ae311f in mrb_vm_run (/workspaces/mruby/build/host/bin/mruby+0x2d511f) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #14 0x5589e9add3ee in mrb_top_run (/workspaces/mruby/build/host/bin/mruby+0x2cf3ee) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #15 0x5589e9b8cb0e in mrb_load_exec (/workspaces/mruby/build/host/bin/mruby+0x37eb0e) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #16 0x5589e9b8dba7 in mrb_load_detect_file_cxt (/workspaces/mruby/build/host/bin/mruby+0x37fba7) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)
    #17 0x5589e99e3e06 in main (/workspaces/mruby/build/host/bin/mruby+0x1d5e06) (BuildId: 0b14b328fcdcdd86f4424105c228365cba6366d)

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v3.2.0 (commit f041d3a, latest as of 2023-09-16)
v3.2.0 (commit 5956496)