From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 55F4E1F44D for ; Thu, 28 Mar 2024 04:51:37 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; secure) header.d=ml.ruby-lang.org header.i=@ml.ruby-lang.org header.a=rsa-sha256 header.s=mail header.b=xkcfVb3d; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=ojxsPuQE; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id BCB5883838; Thu, 28 Mar 2024 04:51:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.ruby-lang.org; s=mail; t=1711601487; bh=PU7c/binIK5ZW8+FC8QoKYFiTZ447NQWWEm+CocBea4=; h=Date:References:To:Reply-To:Subject:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From:Cc:From; b=xkcfVb3d0IoAIbH7nfpXZpvzvn6afoCtAa48tMPJ9hkzVQbYib4K5rvKlm9UsftsO zkXvoIUAotA+Hx1+rKsLdci5k69f+kj0fkNJNtH/4/Y4uwpH07SDlvTEMXImNPChPG 5urAuWY2QyGxuxAqotEN5u6eVwiN/zWdTpBDfUUc= Received: from s.wfbtzhsv.outbound-mail.sendgrid.net (s.wfbtzhsv.outbound-mail.sendgrid.net [159.183.224.104]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 07E26837C3 for ; Thu, 28 Mar 2024 04:51:23 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=pass (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=ojxsPuQE; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=YGccpf67cloNz9o+rQbuvktQ9K8Eftd8vRsn26i0Xog=; b=ojxsPuQEvEErxlwXXTfyqWde0dlauwOy7g5ZWoVMcvqHeQyN8GMB2xh7FEb8qlRNm+IZ DDl2b/wkbgyFRTyN1yL98vSQAaBUNOPGELprHy+D3+cR1POLFQphRBP9NGfuLZy7KpxDw/ D0MmSbzaauyMejTqnwGULZ/MOwAA92oerycLnVkeCKBBZAY+UeesYBqWQFjXkzxnKzOrq4 ldD+FskpeSXxwGBSn3c2SHlLDLnxAHzsQilhZ/mC/TX32mhbwL9AQdc2fAqGGYBUVi+0n6 RUq2gD9rdo/RTgsBzhO3jG7ZIYCaxSuK1jFWxWPIZ8VKxCUSTHTViRB5LbbQ9EVw== Received: by filterdrecv-5fd9fcbc44-8kd9b with SMTP id filterdrecv-5fd9fcbc44-8kd9b-1-6604F74A-6 2024-03-28 04:51:22.96192216 +0000 UTC m=+807932.708229981 Received: from herokuapp.com (unknown) by geopod-ismtpd-20 (SG) with ESMTP id SB5M0X6zTRGMX5FIfT6RJQ for ; Thu, 28 Mar 2024 04:51:22.877 +0000 (UTC) Date: Thu, 28 Mar 2024 04:51:23 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 20398 X-Redmine-Issue-Author: kjtsanaktsidis X-Redmine-Issue-Assignee: kjtsanaktsidis X-Redmine-Issue-Priority: Normal X-Redmine-Sender: kjtsanaktsidis X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 93951 X-SG-EID: =?us-ascii?Q?u001=2Ehtvb0C=2FfA7uJxza5ajJoGjWf7D35DJhKe7Y94xYuv7SZnqx0qbu=2F70+zV?= =?us-ascii?Q?XRgEUZlB2KACYgzrNXwJOFqD+GI4v+xLlProPhe?= =?us-ascii?Q?RqFaaJyjkotY6n2BYHoZY3WMRb9uI4y0yr=2FCRxq?= =?us-ascii?Q?W3XfpaFmIbXWW+5On4FknwyLc3PgK2T2lwkZhXr?= =?us-ascii?Q?guzYA8eKCeaaaoXTPiKe27P6DBxhIaJSAovJ9pQ?= =?us-ascii?Q?R=2FzMMlnuuIUxcuN483G7zMvvgckKpYdqbfjxcSj?= =?us-ascii?Q?U0Arm80B3vl3vBGOXeg9xuyXhZUW2uF8bVcSq6z?= =?us-ascii?Q?Rzg5LO38=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: u001.I8uzylDtAfgbeCOeLBYDww== Message-ID-Hash: 5EM6OODYNAUVVC4YAXHBFKZKQUSXM74L X-Message-ID-Hash: 5EM6OODYNAUVVC4YAXHBFKZKQUSXM74L X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:117354] [Ruby master Bug#20398] heap-buffer-overflow in numeric literal parsing List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #20398 has been reported by kjtsanaktsidis (KJ Tsanaktsidis). ---------------------------------------- Bug #20398: heap-buffer-overflow in numeric literal parsing https://bugs.ruby-lang.org/issues/20398 * Author: kjtsanaktsidis (KJ Tsanaktsidis) * Status: Open * Assignee: kjtsanaktsidis (KJ Tsanaktsidis) * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- I found the following ASAN error in `TestRubyLiteral#test_integer`. It appears that this code is calling strlen on a non-null terminated string. ``` [1/1] TestRubyLiteral#test_integer================================================================= ==484771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060001ab1fc at pc 0x5597fe21d8e1 bp 0x7ffdc6fb0a50 sp 0x7ffdc6fb0210 READ of size 61 at 0x5060001ab1fc thread T0 #0 0x5597fe21d8e0 in strlen.part.0 /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:391:5 #1 0x5597fe6b2feb in ruby_strdup /home/kj/ruby/build/../util.c:538:18 #2 0x5597fe4cb1c5 in set_number_literal /home/kj/ruby/build/parse.y:9694:9 #3 0x5597fe4cab3d in no_digits /home/kj/ruby/build/parse.y:10409:12 #4 0x5597fe4b9de9 in parse_numeric /home/kj/ruby/build/parse.y #5 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y #6 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9 #7 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16 #8 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9 #9 0x5597fe76db1b in rb_suppress_tracing /home/kj/ruby/build/../vm_trace.c:487:18 #10 0x5597fe494416 in yycompile /home/kj/ruby/build/parse.y:8177:5 #11 0x5597fe494416 in parser_compile_string /home/kj/ruby/build/parse.y:8240:12 #12 0x5597fe494416 in rb_ruby_parser_compile_string_path /home/kj/ruby/build/parse.y:8247:12 #13 0x5597fe498858 in rb_parser_compile_string_path /home/kj/ruby/build/parse.y:16663:12 #14 0x5597fe75688c in eval_make_iseq /home/kj/ruby/build/../vm_eval.c:1799:11 #15 0x5597fe70c8fa in eval_string_with_cref /home/kj/ruby/build/../vm_eval.c:1837:12 #16 0x5597fe70c396 in rb_f_eval /home/kj/ruby/build/../vm_eval.c:1912:16 #17 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #18 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #19 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11 #20 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22 #21 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18 #22 0x5597fe758bc4 in invoke_block /home/kj/ruby/build/../vm.c:1515:12 #23 0x5597fe758bc4 in invoke_iseq_block_from_c /home/kj/ruby/build/../vm.c:1585:16 #24 0x5597fe758bc4 in invoke_block_from_c_bh /home/kj/ruby/build/../vm.c:1603:20 #25 0x5597fe70e4b7 in vm_yield_with_cref /home/kj/ruby/build/../vm.c:1640:12 #26 0x5597fe709861 in vm_yield /home/kj/ruby/build/../vm.c:1648:12 #27 0x5597fe709861 in rb_yield_0 /home/kj/ruby/build/../vm_eval.c:1366:12 #28 0x5597fe709861 in rb_yield /home/kj/ruby/build/../vm_eval.c #29 0x5597fec0eff9 in rb_ary_collect /home/kj/ruby/build/../array.c:3601:30 #30 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #31 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #32 0x5597fe6e2d8f in vm_exec_core /home/kj/ruby/build/../insns.def:847:11 #33 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22 #34 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18 #35 0x5597fe3ffe9e in load_iseq_eval /home/kj/ruby/build/../load.c:778:5 #36 0x5597fe3fb498 in require_internal /home/kj/ruby/build/../load.c:1284:21 #37 0x5597fe3f9bf3 in rb_require_string_internal /home/kj/ruby/build/../load.c:1383:18 #38 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #39 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #40 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11 #41 0x5597fe6dda82 in rb_vm_exec /home/kj/ruby/build/../vm.c:2551:22 #42 0x5597fe30a753 in rb_ec_exec_node /home/kj/ruby/build/../eval.c:283:9 #43 0x5597fe30a43d in ruby_run_node /home/kj/ruby/build/../eval.c:323:30 #44 0x5597fe3059b0 in rb_main /home/kj/ruby/build/../main.c:40:12 #45 0x5597fe3059b0 in main /home/kj/ruby/build/../main.c:59:12 #46 0x7f1a93141149 in __libc_start_call_main /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #47 0x7f1a9314120a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../csu/libc-start.c:360:3 #48 0x5597fe1d3e34 in _start (/home/kj/ruby/build/ruby+0x38ae34) 0x5060001ab1fc is located 0 bytes after 60-byte region [0x5060001ab1c0,0x5060001ab1fc) allocated by thread T0 here: #0 0x5597fe2bde4f in malloc /home/kj/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3 #1 0x5597fe3491a9 in objspace_xmalloc0 /home/kj/ruby/build/../gc.c:12605:5 #2 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y #3 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9 #4 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16 #5 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kj/ruby/build/../util.c:538:18 in ruby_strdup Shadow bytes around the buggy address: 0x5060001aaf00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x5060001aaf80: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00 0x5060001ab000: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x5060001ab080: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x5060001ab100: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 =>0x5060001ab180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00[04] 0x5060001ab200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x5060001ab280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==484771==ABORTING ``` -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/