Null pointer dereference while handling the Proc class (another reproducible PoC)

[gwangmu]

Description

We found a null-dereference (again) while handling the Proc class in the latest commit (as of Sep 25, 2023). The triggering condition is very similar to issue #6052, but the crash location was changed to eval_under. In this case, we only found one PoC.

Proof of Concept

$ mruby <poc_file>

poc.zip

Stack Trace

AddressSanitizer:DEADLYSIGNAL
=================================================================
==68918==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x55df25a871b4 bp 0x7ffe683396d0 sp 0x7ffe68339340 T0)
==68918==The signal is caused by a READ memory access.
==68918==Hint: address points to the zero page.
    #0 0x55df25a871b4 in eval_under vm.c
    #1 0x55df25a8774b in mrb_obj_instance_eval (/workspaces/mruby/build/host/bin/mruby+0x2d274b) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #2 0x55df25ce8500 in f_instance_eval eval.c
    #3 0x55df25a9de3b in mrb_vm_exec (/workspaces/mruby/build/host/bin/mruby+0x2e8e3b) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #4 0x55df25a8a21f in mrb_vm_run (/workspaces/mruby/build/host/bin/mruby+0x2d521f) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #5 0x55df25a8447e in mrb_top_run (/workspaces/mruby/build/host/bin/mruby+0x2cf47e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #6 0x55df25b33d1e in mrb_load_exec (/workspaces/mruby/build/host/bin/mruby+0x37ed1e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #7 0x55df25b34db7 in mrb_load_detect_file_cxt (/workspaces/mruby/build/host/bin/mruby+0x37fdb7) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #8 0x55df2598ae06 in main (/workspaces/mruby/build/host/bin/mruby+0x1d5e06) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
    #9 0x7f951a420d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f951a420e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x55df258c98d4 in _start (/workspaces/mruby/build/host/bin/mruby+0x1148d4) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c in eval_under
==68918==ABORTING

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v3.2.0 (commit 15bb6a9, latest as of 2023-09-25)
v3.2.0 (commit 5956496)

Many thanks for maintaining mruby. :)

[dearblue]

In CRuby, Proc.allocate raises an exception, so mruby may want to follow suit.