mruby Use-After-Realloc Vulnerability in Array Sorting Function

A use-after-realloc vulnerability has been identified in mruby versions prior to 3.4.0, specifically within the Array sorting function 'sort_cmp' in 'src/array.c'. This vulnerability arises when the sorting process is interrupted by a user-defined comparator that modifies the array, such as by using 'slice!'. Such modifications can shrink or reallocate the array's storage, leading the sorting algorithm to dereference a stale pointer. This mismanagement allows invalid data to be processed, causing the program to crash or potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the program continues to reference memory that has already been freed. This can cause a crash, allow the manipulation of memory contents, or in some cases, execute injected code.

Reproduction

The vulnerability can be reproduced by sorting an array larger than the 'SMALL_ARRAY_SORT_THRESHOLD' with a custom block that alters the array during the comparison. For example, using a Ruby fuzzer input that calls 'slice!' on the array while it is being sorted will trigger the issue, causing a segmentation fault by dereferencing a freed memory address.

Remediation

Users are advised to update to mruby version 3.4.1 or later, where this vulnerability has been patched.