[ruby-core:117510] [Ruby master Bug#20427] Heap buffer overflow in `Array#sort!` when block modifies target array - zack.ref@gmail.com (Zack Deveau) via ruby-core

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

From: "zack.ref@gmail.com (Zack Deveau) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "zack.ref@gmail.com (Zack Deveau)" <noreply@ruby-lang.org>
Subject: [ruby-core:117510] [Ruby master Bug#20427] Heap buffer overflow in `Array#sort!` when block modifies target array
Date: Sun, 14 Apr 2024 00:47:25 +0000 (UTC)	[thread overview]
Message-ID: <redmine.issue-20427.20240414004725.52854@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-20427.20240414004725.52854@ruby-lang.org

Issue #20427 has been reported by zack.ref@gmail.com (Zack Deveau).

----------------------------------------
Bug #20427: Heap buffer overflow in `Array#sort!` when block modifies target array
https://bugs.ruby-lang.org/issues/20427

* Author: zack.ref@gmail.com (Zack Deveau)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
**(note: It was decided we should handle this in the public issue tracker in security ticket #2327648)**

The attached patch [has been applied to `master`](https://github.com/ruby/ruby/pull/10522) and should apply to latest `3.3.0` for backport.

Could not reproduce on the following builds:
- ruby 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux]
- ruby 3.1.4p249 (2024-01-11 revision 2b608349bb) [x86_64-linux]

---

In cases where `rb_ary_sort_bang` is called with a block and `tmp` is an embedded array, we need to account for the block potentially impacting the capacity of `ary`.

Reproduction script for x86 targets:
```ruby
var_0 = (1..70).to_a
var_0.sort! do |var_0_block_129, var_1_block_129|
  var_0.pop
  var_1_block_129 <=> var_0_block_129
end.shift(3)
```

Reproduction script for ARM targets:
```ruby
10.times do
  var_0 = (1..70).to_a
  var_0.sort! do |var_0_block_129, var_1_block_129|
    var_0.pop
    var_1_block_129 <=> var_0_block_129
  end.shift(3)
end
```

The above example can put the array into a corrupted state (`ary` after block has `len=0` and `capa=14`) :
```
================== ary ===================
ary: BD99908
is_embedded?: 0
is_shared?: 0
heap.len: 0
heap.capa: 14
heap.shared_root: 14
================== tmp ===================
ary: BD1EB18
is_embedded?: 1
is_shared?: 0
embed_len: 70
embed_capa: 78
heap.len: 141
heap.capa: 139
heap.shared_root: 139
```

This results in a heap buffer overflow and possible segfault:
```
==19964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000034f0 at pc 0x00010c35ee6c bp 0x0003070fb290 sp 0x0003070faa50
WRITE of size 560 at 0x60b0000034f0 thread T0
    #0 0x10c35ee6b in wrap_memcpy+0x2ab (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x18e6b)
    #1 0x100e0b085 in ruby_nonempty_memcpy memory.h:671
    #2 0x100e0e43e in ary_memcpy0 array.c:335
    #3 0x100e0cb00 in ary_memcpy array.c:352
    #4 0x100e1426c in rb_ary_sort_bang array.c:3519
    [ ... ]
```

Was able to reproduce on the following builds:
- ruby 3.4.0dev (2024-01-17T14:48:46Z ef4a08eb65) [x86_64-linux]
- ruby 3.3.0 (2024-01-05 revision 634d4e29ef) [x86_64-darwin23]
- ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]



This patch adds a conditional to determine when the capacity of `ary` has been modified by the provided block. If this is the case, ensure that the capacity of `ary` is adjusted to handle at minimum the len of `tmp`.

`test-all` passes locally:
```
Finished tests in 70.194526s, 369.6727 tests/s, 89373.2939 assertions/s.
25949 tests, 6273516 assertions, 0 failures, 0 errors, 292 skips
```

---Files--------------------------------
rb_ary_sort_bang_heap_overflow.patch (2.06 KB)


-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/

next      parent reply	other threads:[~2024-04-14  0:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-14  0:47 zack.ref@gmail.com (Zack Deveau) via ruby-core [this message]
2024-04-14  5:49 ` [ruby-core:117511] [Ruby master Bug#20427] Backport: Heap buffer overflow in `Array#sort!` when block modifies target array nobu (Nobuyoshi Nakada) via ruby-core

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.ruby-lang.org/en/community/mailing-lists/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=redmine.issue-20427.20240414004725.52854@ruby-lang.org \
    --to=ruby-core@ruby-lang.org \
    --cc=noreply@ruby-lang.org \
    --cc=ruby-core@ml.ruby-lang.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).