[ruby-core:103480] [Ruby master Bug#17807] "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)

[ruby-core:103480] [Ruby master Bug#17807] "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)

[ivo.anjo]

Issue #17807 has been reported by ivoanjo (Ivo Anjo).

----------------------------------------
Bug #17807: "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)
https://bugs.ruby-lang.org/issues/17807

* Author: ivoanjo (Ivo Anjo)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.6.7p197 (2021-04-05 revision 67941) [x86_64-linux]
* Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
Hey there! I'm in [Datadog's ddtrace gem](https://github.com/DataDog/dd-trace-rb) team and one of our customers was running into this crash.

Reproducing it is trivial: `ruby -e 'Process.detach(fork {}); Thread.list.last.instance_variable_get(:@kaboom)'`.

The issue seems to be that some of the internal structures of the `Process::Waiter` are not properly initialized, and so trying to access instance variables on an instance of that very special class triggers the crash.

This seems to affect Ruby from 2.3 up to 2.6, on both Linux and macOS. I've attached a crash log, but probably running the reproducer example is faster :)

As I said above, this crash is gone on 2.7 and 3.0. I could not find any mention of this crash, so I suspect the fix may have been a happy side effect of some refactoring, rather than a deliberate thing.
Furthermore, I know that out of the affected versions, only 2.6 is the only one still not EOL, and I am not sure if this can be qualified as a security issue. I decided to report it anyway, in the spirit of documenting what I learned. Feel free to close the ticket if indeed there's no plans of fixing it.

Finally, here's some hints, if someone out there also needs to work around this issue:
* `defined?` (from inside the class) or `instance_variable_defined?` (from the outside) seem to work, so if you "look before you jump", you can avoid the crash
* Writing once to any instance variable on any instance of a `Process::Waiter` seems to initialize whatever was missing; afterwards, any instance of this class will behave correctly
* You can always check the `.class` of the thread to see if you should skip whatever you were trying to do with it

---Files--------------------------------
crash-log.txt (16 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:103526] [Ruby master Bug#17807] "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)

[merch-redmine]

Issue #17807 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Closed

Thank you for the report! I don't think this is a security issue, and since Ruby 2.6 is in security maintenance mode and Ruby 2.7+ is not affected, I'm going to close this.

----------------------------------------
Bug #17807: "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)
https://bugs.ruby-lang.org/issues/17807#change-91627

* Author: ivoanjo (Ivo Anjo)
* Status: Closed
* Priority: Normal
* ruby -v: ruby 2.6.7p197 (2021-04-05 revision 67941) [x86_64-linux]
* Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
Hey there! I'm in [Datadog's ddtrace gem](https://github.com/DataDog/dd-trace-rb) team and one of our customers was running into this crash.

Reproducing it is trivial: `ruby -e 'Process.detach(fork {}); Thread.list.last.instance_variable_get(:@kaboom)'`.

The issue seems to be that some of the internal structures of the `Process::Waiter` are not properly initialized, and so trying to access instance variables on an instance of that very special class triggers the crash.

This seems to affect Ruby from 2.3 up to 2.6, on both Linux and macOS. I've attached a crash log, but probably running the reproducer example is faster :)

As I said above, this crash is gone on 2.7 and 3.0. I could not find any mention of this crash, so I suspect the fix may have been a happy side effect of some refactoring, rather than a deliberate thing.
Furthermore, I know that out of the affected versions, only 2.6 is the only one still not EOL, and I am not sure if this can be qualified as a security issue. I decided to report it anyway, in the spirit of documenting what I learned. Feel free to close the ticket if indeed there's no plans of fixing it.

Finally, here's some hints, if someone out there also needs to work around this issue:
* `defined?` (from inside the class) or `instance_variable_defined?` (from the outside) seem to work, so if you "look before you jump", you can avoid the crash
* Writing once to any instance variable on any instance of a `Process::Waiter` seems to initialize whatever was missing; afterwards, any instance of this class will behave correctly
* You can always check the `.class` of the thread to see if you should skip whatever you were trying to do with it

---Files--------------------------------
crash-log.txt (16 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:115463] [Ruby master Bug#17807] "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)

[ivoanjo (Ivo Anjo) via ruby-core]

Issue #17807 has been updated by ivoanjo (Ivo Anjo).


Randomly, I found today that right around when I was trying to debug this, the puma folks also independently ran into it: https://github.com/puma/puma/issues/2566

----------------------------------------
Bug #17807: "Segmentation fault at 0x0000000000000008" crash when accessing instance variables of Process::Waiter instances (Ruby 2.3 to 2.6)
https://bugs.ruby-lang.org/issues/17807#change-105391

* Author: ivoanjo (Ivo Anjo)
* Status: Closed
* Priority: Normal
* ruby -v: ruby 2.6.7p197 (2021-04-05 revision 67941) [x86_64-linux]
* Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
Hey there! I'm in [Datadog's ddtrace gem](https://github.com/DataDog/dd-trace-rb) team and one of our customers was running into this crash.

Reproducing it is trivial: `ruby -e 'Process.detach(fork {}); Thread.list.last.instance_variable_get(:@kaboom)'`.

The issue seems to be that some of the internal structures of the `Process::Waiter` are not properly initialized, and so trying to access instance variables on an instance of that very special class triggers the crash.

This seems to affect Ruby from 2.3 up to 2.6, on both Linux and macOS. I've attached a crash log, but probably running the reproducer example is faster :)

As I said above, this crash is gone on 2.7 and 3.0. I could not find any mention of this crash, so I suspect the fix may have been a happy side effect of some refactoring, rather than a deliberate thing.
Furthermore, I know that out of the affected versions, only 2.6 is the only one still not EOL, and I am not sure if this can be qualified as a security issue. I decided to report it anyway, in the spirit of documenting what I learned. Feel free to close the ticket if indeed there's no plans of fixing it.

Finally, here's some hints, if someone out there also needs to work around this issue:
* `defined?` (from inside the class) or `instance_variable_defined?` (from the outside) seem to work, so if you "look before you jump", you can avoid the crash
* Writing once to any instance variable on any instance of a `Process::Waiter` seems to initialize whatever was missing; afterwards, any instance of this class will behave correctly
* You can always check the `.class` of the thread to see if you should skip whatever you were trying to do with it

---Files--------------------------------
crash-log.txt (16 KB)


-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/