mruby: CVE-2018-10191: Use after free caused by integer overflow in environment stack

Debian Bug report logs - #896020
mruby: CVE-2018-10191: Use after free caused by integer overflow in environment stack

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mruby: CVE-2018-10191: Use after free caused by integer overflow in environment stack

Date: Wed, 18 Apr 2018 21:19:21 +0200

Source: mruby
Version: 1.0.0+20141015+gitb4cc962c-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/mruby/mruby/issues/3995

Hi,

The following vulnerability was published for mruby.

CVE-2018-10191[0]:
| In versions of mruby up to and including 1.4.0, an integer overflow
| exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the
| presence of deep scope nesting, resulting in a use-after-free. An
| attacker that can cause Ruby code to be run can use this to possibly
| execute arbitrary code.

Demostrable/verifiable with an ASAN build of mruby:

dummy@sid:~$ ./mruby-1.4.0/bin/mruby ./use_after_free.rb 
=================================================================
==3180==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000014100 at pc 0x0000004a77c3 bp 0x7ffef79d70d0 sp 0x7ffef79d70c8
READ of size 16 at 0x625000014100 thread T0
    #0 0x4a77c2 in mrb_vm_exec src/vm.c:1196
    #1 0x4ac408 in mrb_vm_run src/vm.c:935
    #2 0x52df53 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:5840
    #3 0x404036 in main mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
    #4 0x7ffb5b242a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #5 0x405b89 in _start (/home/dummy/mruby-1.4.0/bin/mruby+0x405b89)

Address 0x625000014100 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/vm.c:1196 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x0c4a7fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffa820:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3180==ABORTING
dummy@sid:~$

dummy@sid:~$ ./mruby-1.4.0/bin/mruby ./null_ptr_deref.rb 
/root/mruby-1.4.0/src/class.c:94:11: runtime error: member access within null pointer of type 'struct RClass'
ASAN:DEADLYSIGNAL
=================================================================
==3189==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004b03b3 bp 0x7ffe636d25b0 sp 0x7ffe636d2560 T0)
==3189==The signal is caused by a READ memory access.
==3189==Hint: address points to the zero page.
    #0 0x4b03b2 in prepare_singleton_class src/class.c:94
    #1 0x4c18da in mrb_singleton_class src/class.c:1320
    #2 0x4858fa in mrb_vm_exec src/vm.c:2895
    #3 0x4ac408 in mrb_vm_run src/vm.c:935
    #4 0x52df53 in mrb_load_exec mrbgems/mruby-compiler/core/parse.y:5840
    #5 0x404036 in main mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
    #6 0x7fe21ffe5a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #7 0x405b89 in _start (/home/dummy/mruby-1.4.0/bin/mruby+0x405b89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/class.c:94 in prepare_singleton_class
==3189==ABORTING
dummy@sid:~$

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10191
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10191
[1] https://github.com/mruby/mruby/issues/3995

Regards,
Salvatore

Message #10 received at 896020-close@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@debian.org>

To: 896020-close@bugs.debian.org

Subject: Bug#896020: fixed in mruby 1.4.0+20180418+git54905e98-1

Date: Fri, 20 Apr 2018 00:51:53 +0000

Source: mruby
Source-Version: 1.4.0+20180418+git54905e98-1

We believe that the bug you reported is fixed in the latest version of
mruby, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated mruby package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Apr 2018 08:29:33 +0900
Source: mruby
Binary: mruby libmruby-dev
Architecture: source amd64
Version: 1.4.0+20180418+git54905e98-1
Distribution: unstable
Urgency: medium
Maintainer: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description:
 libmruby-dev - lightweight implementation of the Ruby language (development file
 mruby      - lightweight implementation of the Ruby language
Closes: 896020 896021
Changes:
 mruby (1.4.0+20180418+git54905e98-1) unstable; urgency=medium
 .
   * Update from stable branch(20180418).
     - Fix CVE-2018-10191 (Closes: #896020)
       Use after free caused by integer overflow in environment stack
     - Fix CVE-2018-10199.(Closes: #896021)
       Use after free in File#initilialize_copy
   * Bump Standards-Version to 4.1.4.
Checksums-Sha1:
 86d7808163c6348e1c54e7cc134076617de1a05e 2033 mruby_1.4.0+20180418+git54905e98-1.dsc
 31f9107cd4a27dd9a07366a665b52c4bc0ea50ed 497055 mruby_1.4.0+20180418+git54905e98.orig.tar.gz
 3c4e82b48d0c740fbf0136be6de5f78e3362659c 4700 mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz
 564bf64bcdd2d474896f8d4159d1c685e1d74298 314024 libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb
 bea324a6a3233d63a066d753b3beb74f9586dccc 2247236 mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb
 dc2040b75b2cbad70744cf4990625132af6c750a 6611 mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo
 5e7221faab4238e5bda2e2e142a16e01dc1074dd 334144 mruby_1.4.0+20180418+git54905e98-1_amd64.deb
Checksums-Sha256:
 db4b3897dd49f7cd5434ca9d8d2cd982addb96d75dacf2d2fdd948c7005e6ccc 2033 mruby_1.4.0+20180418+git54905e98-1.dsc
 6bbb49bd4c01b62f892d2e7a9892eab218734dceda9f60d0a4740de5585a6768 497055 mruby_1.4.0+20180418+git54905e98.orig.tar.gz
 ac702fc447f63bee3b1f2f6fffa86a6d12d330533c75ee1efa18d2f5a64cded3 4700 mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz
 712b4c0352810667511a84244a9b43debbcafc131e45cf301ea601729048beb2 314024 libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb
 4fc4da5633a12e6114d27e9fdd50ce0bd0cb8566cc58da53171fab7db34bd4f9 2247236 mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb
 27250a089f12df6fee908a8c1f1e1691580c1eea0a0a92448fa083f5e227ea27 6611 mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo
 d0b3f72346a616285bd597869cf30f147c867d14b76eb06b8edddea58af1b474 334144 mruby_1.4.0+20180418+git54905e98-1_amd64.deb
Files:
 93a607b291f1e1eb628398d234212369 2033 ruby optional mruby_1.4.0+20180418+git54905e98-1.dsc
 5a4b3fcc3d527879640cca14a49af094 497055 ruby optional mruby_1.4.0+20180418+git54905e98.orig.tar.gz
 e9eb3b58d249a5173a0a4059d3ecb410 4700 ruby optional mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz
 cadd81bf081918fa564ebc155c4ad708 314024 libdevel optional libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb
 2a7d6359a6e86a2fc3deaa3d493ea888 2247236 debug optional mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb
 6998c63fd5af05871cd8b06f0825ef5f 6611 ruby optional mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo
 35ff9a2b23fd2d7d22f4438c321279d8 334144 ruby optional mruby_1.4.0+20180418+git54905e98-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAlrZNSwACgkQMiR/u0Ct
H6Y+Qg/5Ae7fjtQnzNT9Z7PCe6TMZdUMFpUthsT+Ue3G5JnMm4mckmUVsCWSB4Mb
pfUcXyY4Cb4dhTBcxSMuScBWPkAuqEiIUZEf8KAGc7NzJHsmbLa0gDC0BzElmeX0
bXP4EhuPGD4DM6nwDZrnfvWQsUqo+TEV7l+tkDu6a4J+di6UZk42aJ/PpeXV2ifs
cyaU33niXKXrpRyCK+9LwRmZYLiUz0sdsMmmmU2Z9VS7ZRjndU0OFauuozrq7i+u
dA3ARvf0fBGHrb/k9gJwTIRj+nYFVeau+McAyQ8pPC8U9zhZccA7mHrGq8Wv3HTi
A5YhXr5R1CV4rOdXZFeWqTdWOmac1jlZctCOg+uEYziMHNvSYHsHlT1dFaaDen9Q
JMU3+TpG+IMXF+AmH5pnQjXwB3df0I2yoX6igTBSXu+kAXopv0W2NMM2CjiUr3K1
cGvP5NmLuzqt82tatD6NwjfvHhZKPXtl5nxGzRsIcO39GjSByXr7ccy1/L/CJU/7
sIyC74UpkuG1xB7MwLBG6XavwO0sbFccrQ3IZknSSoE4rpoXtyb8Vwnn7E7o9cjC
pnmzkNi5xY+nFO+JjW2SBLpPM6UBH4rGZMUosuHhERCg90IXIAukCIUOaEcUn5eY
+EToItA+DYg0GosIxbaGzoZZRjvDM9bk2fuBd2BoydtGghhWZ+Y=
=InP5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.