Creolabs Gravity Heap Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A heap buffer overflow vulnerability has been identified in Creolabs Gravity versions prior to 0.9.6. The issue arises in the 'gravity_vm_exec' function, where attackers can write out-of-bounds memory by creating scripts with numerous string literals at the global scope. This vulnerability takes advantage of inadequate bounds checking in 'gravity_fiber_reassign()', leading to corruption of heap metadata and potentially allowing arbitrary code execution in applications that process untrusted scripts.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to corruption of heap metadata and arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a script that includes a large number of string literals at the global scope. This can be done by writing a recursive function that, when combined with the string literals, exceeds the default stack allocation. The 'gravity_fiber_reassign' function will then reallocate the fiber stack, but if the stack growth surpasses the allocated limit, it can cause a heap-buffer-overflow. This issue can be triggered by running the 'gravity' interpreter with the AddressSanitizer enabled, which will report the heap-buffer-overflow error.

Remediation

Users can upgrade to Creolabs Gravity version 0.9.6 or later, where this vulnerability has been fixed.