Description
Another null-dereference was found in mrb_string_value_cstr in the latest commit (as of Sep 25, 2023). The PoCs all have the same sequence that goes like this below.
x = String.clone();
y = x.allocate();
<operation on y>
We've attached six PoCs below.
Proof of Concept
poc.zip
Stack Trace
Below is the stack trace of the first PoC. The rest of PoCs exhibited more or less the same stack trace.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==91352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d3870e049d bp 0x7ffead526790 sp 0x7ffead5265a0 T0)
==91352==The signal is caused by a READ memory access.
==91352==Hint: address points to the zero page.
#0 0x55d3870e049d in mrb_string_value_cstr (/workspaces/mruby/build/host/bin/mruby+0x28649d) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#1 0x55d3870e07f9 in mrb_string_cstr (/workspaces/mruby/build/host/bin/mruby+0x2867f9) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#2 0x55d38705aa1e in get_args_v class.c
#3 0x55d387057abb in mrb_get_args (/workspaces/mruby/build/host/bin/mruby+0x1fdabb) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#4 0x55d38736444e in mrb_dir_init dir.c
#5 0x55d387142e3b in mrb_vm_exec (/workspaces/mruby/build/host/bin/mruby+0x2e8e3b) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#6 0x55d38712f21f in mrb_vm_run (/workspaces/mruby/build/host/bin/mruby+0x2d521f) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#7 0x55d38712947e in mrb_top_run (/workspaces/mruby/build/host/bin/mruby+0x2cf47e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#8 0x55d3871d8d1e in mrb_load_exec (/workspaces/mruby/build/host/bin/mruby+0x37ed1e) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#9 0x55d3871d9db7 in mrb_load_detect_file_cxt (/workspaces/mruby/build/host/bin/mruby+0x37fdb7) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#10 0x55d38702fe06 in main (/workspaces/mruby/build/host/bin/mruby+0x1d5e06) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
#11 0x7f3acd5d7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f3acd5d7e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x55d386f6e8d4 in _start (/workspaces/mruby/build/host/bin/mruby+0x1148d4) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/workspaces/mruby/build/host/bin/mruby+0x28649d) (BuildId: 0a113734787eca1796aff6ada4c1c52fabbcebe2) in mrb_string_value_cstr
==91352==ABORTING
Environment
Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB
Affected Version
v3.2.0 (commit 15bb6a9, latest as of 2023-09-25)
v3.2.0 (commit 5956496)
Description
Another null-dereference was found in mrb_string_value_cstr in the latest commit (as of Sep 25, 2023). The PoCs all have the same sequence that goes like this below.
We've attached six PoCs below.
Proof of Concept
poc.zip
Stack Trace
Below is the stack trace of the first PoC. The rest of PoCs exhibited more or less the same stack trace.
Environment
Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB
Affected Version
v3.2.0 (commit 15bb6a9, latest as of 2023-09-25)
v3.2.0 (commit 5956496)