About CVE-2022-0240 Do not contempt low risk vulnerability (17th Jan,2022)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2[.]x compatible. MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration.

MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2.x compatible. Whereas, MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration. An unofficial consensus by IoT manufacturer that IoT Dumb devices are only provide resources/service. In broker cloud of IoT, most of them contains application logic design. MRuby fits this use case well despite performance issues.

Vulnerability details: Mruby is vulnerable to NULL Pointer Dereference. There is a NULL Pointer Dereference in prepare_singleton_class. Offical remedy said that add additional two lines of syntax in src/class[.]c will be remedied the vulnerability.

Refer to attached diagram, if the design criteria based on Ruby code compiler to Bytecode . Then install to virtual machine of IoT.
As a matter of fact, null pointer dereference happened in MRuby object class. Will it be impacted the program after compiler?

Perhaps below articles by apple developer will provides guidance.

Dereferencing a null pointer always results in undefined behavior and can cause crashes. If the compiler finds a pointer dereference, it treats that pointer as nonnull. As a result, the optimizer may remove null equality checks for dereferenced pointers.

But uncertainty related to above topic not found hints on internet. So, it still need to observed.

Remedy: The official announcement can be found at the following link: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.