From: "zack.ref@gmail.com (Zack Deveau) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "zack.ref@gmail.com (Zack Deveau)" <noreply@ruby-lang.org>
Subject: [ruby-core:117510] [Ruby master Bug#20427] Heap buffer overflow in `Array#sort!` when block modifies target array
Date: Sun, 14 Apr 2024 00:47:25 +0000 (UTC) [thread overview]
Message-ID: <redmine.issue-20427.20240414004725.52854@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-20427.20240414004725.52854@ruby-lang.org
Issue #20427 has been reported by zack.ref@gmail.com (Zack Deveau).
----------------------------------------
Bug #20427: Heap buffer overflow in `Array#sort!` when block modifies target array
https://bugs.ruby-lang.org/issues/20427
* Author: zack.ref@gmail.com (Zack Deveau)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
**(note: It was decided we should handle this in the public issue tracker in security ticket #2327648)**
The attached patch [has been applied to `master`](https://github.com/ruby/ruby/pull/10522) and should apply to latest `3.3.0` for backport.
Could not reproduce on the following builds:
- ruby 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux]
- ruby 3.1.4p249 (2024-01-11 revision 2b608349bb) [x86_64-linux]
---
In cases where `rb_ary_sort_bang` is called with a block and `tmp` is an embedded array, we need to account for the block potentially impacting the capacity of `ary`.
Reproduction script for x86 targets:
```ruby
var_0 = (1..70).to_a
var_0.sort! do |var_0_block_129, var_1_block_129|
var_0.pop
var_1_block_129 <=> var_0_block_129
end.shift(3)
```
Reproduction script for ARM targets:
```ruby
10.times do
var_0 = (1..70).to_a
var_0.sort! do |var_0_block_129, var_1_block_129|
var_0.pop
var_1_block_129 <=> var_0_block_129
end.shift(3)
end
```
The above example can put the array into a corrupted state (`ary` after block has `len=0` and `capa=14`) :
```
================== ary ===================
ary: BD99908
is_embedded?: 0
is_shared?: 0
heap.len: 0
heap.capa: 14
heap.shared_root: 14
================== tmp ===================
ary: BD1EB18
is_embedded?: 1
is_shared?: 0
embed_len: 70
embed_capa: 78
heap.len: 141
heap.capa: 139
heap.shared_root: 139
```
This results in a heap buffer overflow and possible segfault:
```
==19964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000034f0 at pc 0x00010c35ee6c bp 0x0003070fb290 sp 0x0003070faa50
WRITE of size 560 at 0x60b0000034f0 thread T0
#0 0x10c35ee6b in wrap_memcpy+0x2ab (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x18e6b)
#1 0x100e0b085 in ruby_nonempty_memcpy memory.h:671
#2 0x100e0e43e in ary_memcpy0 array.c:335
#3 0x100e0cb00 in ary_memcpy array.c:352
#4 0x100e1426c in rb_ary_sort_bang array.c:3519
[ ... ]
```
Was able to reproduce on the following builds:
- ruby 3.4.0dev (2024-01-17T14:48:46Z ef4a08eb65) [x86_64-linux]
- ruby 3.3.0 (2024-01-05 revision 634d4e29ef) [x86_64-darwin23]
- ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
This patch adds a conditional to determine when the capacity of `ary` has been modified by the provided block. If this is the case, ensure that the capacity of `ary` is adjusted to handle at minimum the len of `tmp`.
`test-all` passes locally:
```
Finished tests in 70.194526s, 369.6727 tests/s, 89373.2939 assertions/s.
25949 tests, 6273516 assertions, 0 failures, 0 errors, 292 skips
```
---Files--------------------------------
rb_ary_sort_bang_heap_overflow.patch (2.06 KB)
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
next parent reply other threads:[~2024-04-14 0:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-14 0:47 zack.ref@gmail.com (Zack Deveau) via ruby-core [this message]
2024-04-14 5:49 ` [ruby-core:117511] [Ruby master Bug#20427] Backport: Heap buffer overflow in `Array#sort!` when block modifies target array nobu (Nobuyoshi Nakada) via ruby-core
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.issue-20427.20240414004725.52854@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
--cc=noreply@ruby-lang.org \
--cc=ruby-core@ml.ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).