[ruby-core:117354] [Ruby master Bug#20398] heap-buffer-overflow in numeric literal parsing - kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" <noreply@ruby-lang.org>
Subject: [ruby-core:117354] [Ruby master Bug#20398] heap-buffer-overflow in numeric literal parsing
Date: Thu, 28 Mar 2024 04:51:23 +0000 (UTC)	[thread overview]
Message-ID: <redmine.issue-20398.20240328045122.10173@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-20398.20240328045122.10173@ruby-lang.org

Issue #20398 has been reported by kjtsanaktsidis (KJ Tsanaktsidis).

----------------------------------------
Bug #20398: heap-buffer-overflow in numeric literal parsing
https://bugs.ruby-lang.org/issues/20398

* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Assignee: kjtsanaktsidis (KJ Tsanaktsidis)
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
I found the following ASAN error in `TestRubyLiteral#test_integer`. It appears that this code is calling strlen on a non-null terminated string.

```
[1/1] TestRubyLiteral#test_integer=================================================================
    ==484771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060001ab1fc at pc 0x5597fe21d8e1 bp 0x7ffdc6fb0a50 sp 0x7ffdc6fb0210
    READ of size 61 at 0x5060001ab1fc thread T0
        #0 0x5597fe21d8e0 in strlen.part.0 /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:391:5
        #1 0x5597fe6b2feb in ruby_strdup /home/kj/ruby/build/../util.c:538:18
        #2 0x5597fe4cb1c5 in set_number_literal /home/kj/ruby/build/parse.y:9694:9
        #3 0x5597fe4cab3d in no_digits /home/kj/ruby/build/parse.y:10409:12
        #4 0x5597fe4b9de9 in parse_numeric /home/kj/ruby/build/parse.y
        #5 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y
        #6 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9
        #7 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16
        #8 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9
        #9 0x5597fe76db1b in rb_suppress_tracing /home/kj/ruby/build/../vm_trace.c:487:18
        #10 0x5597fe494416 in yycompile /home/kj/ruby/build/parse.y:8177:5
        #11 0x5597fe494416 in parser_compile_string /home/kj/ruby/build/parse.y:8240:12
        #12 0x5597fe494416 in rb_ruby_parser_compile_string_path /home/kj/ruby/build/parse.y:8247:12
        #13 0x5597fe498858 in rb_parser_compile_string_path /home/kj/ruby/build/parse.y:16663:12
        #14 0x5597fe75688c in eval_make_iseq /home/kj/ruby/build/../vm_eval.c:1799:11
        #15 0x5597fe70c8fa in eval_string_with_cref /home/kj/ruby/build/../vm_eval.c:1837:12
        #16 0x5597fe70c396 in rb_f_eval /home/kj/ruby/build/../vm_eval.c:1912:16
        #17 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
        #18 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
        #19 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11
        #20 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22
        #21 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18
        #22 0x5597fe758bc4 in invoke_block /home/kj/ruby/build/../vm.c:1515:12
        #23 0x5597fe758bc4 in invoke_iseq_block_from_c /home/kj/ruby/build/../vm.c:1585:16
        #24 0x5597fe758bc4 in invoke_block_from_c_bh /home/kj/ruby/build/../vm.c:1603:20
        #25 0x5597fe70e4b7 in vm_yield_with_cref /home/kj/ruby/build/../vm.c:1640:12
        #26 0x5597fe709861 in vm_yield /home/kj/ruby/build/../vm.c:1648:12
        #27 0x5597fe709861 in rb_yield_0 /home/kj/ruby/build/../vm_eval.c:1366:12
        #28 0x5597fe709861 in rb_yield /home/kj/ruby/build/../vm_eval.c
        #29 0x5597fec0eff9 in rb_ary_collect /home/kj/ruby/build/../array.c:3601:30
        #30 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
        #31 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
        #32 0x5597fe6e2d8f in vm_exec_core /home/kj/ruby/build/../insns.def:847:11
        #33 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22
        #34 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18
        #35 0x5597fe3ffe9e in load_iseq_eval /home/kj/ruby/build/../load.c:778:5
        #36 0x5597fe3fb498 in require_internal /home/kj/ruby/build/../load.c:1284:21
        #37 0x5597fe3f9bf3 in rb_require_string_internal /home/kj/ruby/build/../load.c:1383:18
        #38 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
        #39 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
        #40 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11
        #41 0x5597fe6dda82 in rb_vm_exec /home/kj/ruby/build/../vm.c:2551:22
        #42 0x5597fe30a753 in rb_ec_exec_node /home/kj/ruby/build/../eval.c:283:9
        #43 0x5597fe30a43d in ruby_run_node /home/kj/ruby/build/../eval.c:323:30
        #44 0x5597fe3059b0 in rb_main /home/kj/ruby/build/../main.c:40:12
        #45 0x5597fe3059b0 in main /home/kj/ruby/build/../main.c:59:12
        #46 0x7f1a93141149 in __libc_start_call_main /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #47 0x7f1a9314120a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../csu/libc-start.c:360:3
        #48 0x5597fe1d3e34 in _start (/home/kj/ruby/build/ruby+0x38ae34)

    0x5060001ab1fc is located 0 bytes after 60-byte region [0x5060001ab1c0,0x5060001ab1fc)
    allocated by thread T0 here:
        #0 0x5597fe2bde4f in malloc /home/kj/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
        #1 0x5597fe3491a9 in objspace_xmalloc0 /home/kj/ruby/build/../gc.c:12605:5
        #2 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y
        #3 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9
        #4 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16
        #5 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kj/ruby/build/../util.c:538:18 in ruby_strdup
    Shadow bytes around the buggy address:
      0x5060001aaf00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
      0x5060001aaf80: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
      0x5060001ab000: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
      0x5060001ab080: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
      0x5060001ab100: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
    =>0x5060001ab180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00[04]
      0x5060001ab200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
      0x5060001ab280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x5060001ab300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x5060001ab380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x5060001ab400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==484771==ABORTING
```



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/

next      parent reply	other threads:[~2024-03-28  4:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-28  4:51 kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core [this message]
2024-03-28  4:54 ` [ruby-core:117355] [Ruby master Bug#20398] heap-buffer-overflow in numeric literal parsing kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core
2024-03-28 12:02 ` [ruby-core:117364] " nobu (Nobuyoshi Nakada) via ruby-core
2024-03-29  6:18 ` [ruby-core:117374] " kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.ruby-lang.org/en/community/mailing-lists/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=redmine.issue-20398.20240328045122.10173@ruby-lang.org \
    --to=ruby-core@ruby-lang.org \
    --cc=noreply@ruby-lang.org \
    --cc=ruby-core@ml.ruby-lang.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).