From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 2BAF71F44D for ; Fri, 29 Mar 2024 06:19:05 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; secure) header.d=ml.ruby-lang.org header.i=@ml.ruby-lang.org header.a=rsa-sha256 header.s=mail header.b=zV8vmwKr; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=JxE1hTdU; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id 419E8839ED; Fri, 29 Mar 2024 06:18:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.ruby-lang.org; s=mail; t=1711693136; bh=i+32FqmPzAhvoFKpKK+tk5WE/cy8ceGPIXV9hU3indo=; h=Date:References:To:Reply-To:Subject:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From:Cc:From; b=zV8vmwKrMuHzckWOrYbUZYPuK08MjdWtKTMW8D43LCJc5O43GpMqoyICp1ZprbRjI 83Hf5zKk0oh7E+uazS3TZyxKsG7q4UHpLQXAYxzUppRSJcq92k8vrWgsg8DmeAiSNy u8q2oN1P2noV8rS3k8TRlZwATXjCFl3UCKF6qttM= Received: from s.wrqvtvvn.outbound-mail.sendgrid.net (s.wrqvtvvn.outbound-mail.sendgrid.net [149.72.120.130]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 35874839E8 for ; Fri, 29 Mar 2024 06:18:54 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=pass (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=JxE1hTdU; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=mhjPktylIbfcz1Sdz0Avd5STXQe5jyHjI4Ccaq84pMI=; b=JxE1hTdU2dIjFh5GcYyDdev+WoMZAUvjYlDmLOjh+a98bMyoSQjjXRQgJfjnCn7IOpqR uePEdE6txfN8roifhNCahtx7rx1NVk5o/7PT7D5WhopYPt4BOsSn0mZsSauIQz0bAWZyIK BU5k4GPfHg7DVW7ZbFvjELxAXFMdUwfu6eHOwRzTrSnUSRSysBxHjFKB0kZOgyQetCk0yJ KszmeNAkrhS6A/DBU1lphmP/plw9CjIVBPyqaPQxzeGzQctGyf2zIzdfT8s7tQDbSu3fa+ GRVC57FoeMfgfZFc4ThvGft3nfjY04WqXRb4NjVzmzc7lQmktgVt2nq9hq5hS7rw== Received: by recvd-7555548f4d-g8z8z with SMTP id recvd-7555548f4d-g8z8z-1-66065D4D-1 2024-03-29 06:18:53.003394822 +0000 UTC m=+897504.019872345 Received: from herokuapp.com (unknown) by geopod-ismtpd-5 (SG) with ESMTP id lLQ7BvJNQ9y8lFq0o9DRpg for ; Fri, 29 Mar 2024 06:18:52.984 +0000 (UTC) Date: Fri, 29 Mar 2024 06:18:53 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 20398 X-Redmine-Issue-Author: kjtsanaktsidis X-Redmine-Issue-Assignee: kjtsanaktsidis X-Redmine-Issue-Priority: Normal X-Redmine-Sender: kjtsanaktsidis X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 93970 X-SG-EID: =?us-ascii?Q?u001=2Ehtvb0C=2FfA7uJxza5ajJoGjWf7D35DJhKe7Y94xYuv7SZnqx0qbu=2F70+zV?= =?us-ascii?Q?XRgEUZlB2KACYgzrNXwJOFqD+GI4v+xLlProPhe?= =?us-ascii?Q?RqFaaJyjkosaQOMaAwga80NuRiCkfJrisCDCj+A?= =?us-ascii?Q?Cpw=2FtuUu2V3EBWeoGxCQjIIub75IMk4a+lYAJ5q?= =?us-ascii?Q?kSkmBQiXQDP9nA6AHJDAaTz2DNOC=2FnVrHgNUByc?= =?us-ascii?Q?KFpxhNZMW+VLz+bUwIBr+7u=2FfcfdwcprpzdZ2Ag?= =?us-ascii?Q?xra49iELCWZPCfEGZFQco=2F2CFQ=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: u001.I8uzylDtAfgbeCOeLBYDww== Message-ID-Hash: V7XNSFYDMFKMJOZTMWQOOVUUQE6P7XXL X-Message-ID-Hash: V7XNSFYDMFKMJOZTMWQOOVUUQE6P7XXL X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:117374] [Ruby master Bug#20398] heap-buffer-overflow in numeric literal parsing List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #20398 has been updated by kjtsanaktsidis (KJ Tsanaktsidis). Thank you, that fixed it yes. And it's a much better fix :) ---------------------------------------- Bug #20398: heap-buffer-overflow in numeric literal parsing https://bugs.ruby-lang.org/issues/20398#change-107533 * Author: kjtsanaktsidis (KJ Tsanaktsidis) * Status: Closed * Assignee: kjtsanaktsidis (KJ Tsanaktsidis) * Backport: 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED ---------------------------------------- I found the following ASAN error in `TestRubyLiteral#test_integer`. It appears that this code is calling strdup on a non-null terminated string. ``` [1/1] TestRubyLiteral#test_integer================================================================= ==484771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060001ab1fc at pc 0x5597fe21d8e1 bp 0x7ffdc6fb0a50 sp 0x7ffdc6fb0210 READ of size 61 at 0x5060001ab1fc thread T0 #0 0x5597fe21d8e0 in strlen.part.0 /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:391:5 #1 0x5597fe6b2feb in ruby_strdup /home/kj/ruby/build/../util.c:538:18 #2 0x5597fe4cb1c5 in set_number_literal /home/kj/ruby/build/parse.y:9694:9 #3 0x5597fe4cab3d in no_digits /home/kj/ruby/build/parse.y:10409:12 #4 0x5597fe4b9de9 in parse_numeric /home/kj/ruby/build/parse.y #5 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y #6 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9 #7 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16 #8 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9 #9 0x5597fe76db1b in rb_suppress_tracing /home/kj/ruby/build/../vm_trace.c:487:18 #10 0x5597fe494416 in yycompile /home/kj/ruby/build/parse.y:8177:5 #11 0x5597fe494416 in parser_compile_string /home/kj/ruby/build/parse.y:8240:12 #12 0x5597fe494416 in rb_ruby_parser_compile_string_path /home/kj/ruby/build/parse.y:8247:12 #13 0x5597fe498858 in rb_parser_compile_string_path /home/kj/ruby/build/parse.y:16663:12 #14 0x5597fe75688c in eval_make_iseq /home/kj/ruby/build/../vm_eval.c:1799:11 #15 0x5597fe70c8fa in eval_string_with_cref /home/kj/ruby/build/../vm_eval.c:1837:12 #16 0x5597fe70c396 in rb_f_eval /home/kj/ruby/build/../vm_eval.c:1912:16 #17 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #18 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #19 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11 #20 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22 #21 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18 #22 0x5597fe758bc4 in invoke_block /home/kj/ruby/build/../vm.c:1515:12 #23 0x5597fe758bc4 in invoke_iseq_block_from_c /home/kj/ruby/build/../vm.c:1585:16 #24 0x5597fe758bc4 in invoke_block_from_c_bh /home/kj/ruby/build/../vm.c:1603:20 #25 0x5597fe70e4b7 in vm_yield_with_cref /home/kj/ruby/build/../vm.c:1640:12 #26 0x5597fe709861 in vm_yield /home/kj/ruby/build/../vm.c:1648:12 #27 0x5597fe709861 in rb_yield_0 /home/kj/ruby/build/../vm_eval.c:1366:12 #28 0x5597fe709861 in rb_yield /home/kj/ruby/build/../vm_eval.c #29 0x5597fec0eff9 in rb_ary_collect /home/kj/ruby/build/../array.c:3601:30 #30 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #31 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #32 0x5597fe6e2d8f in vm_exec_core /home/kj/ruby/build/../insns.def:847:11 #33 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22 #34 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18 #35 0x5597fe3ffe9e in load_iseq_eval /home/kj/ruby/build/../load.c:778:5 #36 0x5597fe3fb498 in require_internal /home/kj/ruby/build/../load.c:1284:21 #37 0x5597fe3f9bf3 in rb_require_string_internal /home/kj/ruby/build/../load.c:1383:18 #38 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11 #39 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h #40 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11 #41 0x5597fe6dda82 in rb_vm_exec /home/kj/ruby/build/../vm.c:2551:22 #42 0x5597fe30a753 in rb_ec_exec_node /home/kj/ruby/build/../eval.c:283:9 #43 0x5597fe30a43d in ruby_run_node /home/kj/ruby/build/../eval.c:323:30 #44 0x5597fe3059b0 in rb_main /home/kj/ruby/build/../main.c:40:12 #45 0x5597fe3059b0 in main /home/kj/ruby/build/../main.c:59:12 #46 0x7f1a93141149 in __libc_start_call_main /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #47 0x7f1a9314120a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../csu/libc-start.c:360:3 #48 0x5597fe1d3e34 in _start (/home/kj/ruby/build/ruby+0x38ae34) 0x5060001ab1fc is located 0 bytes after 60-byte region [0x5060001ab1c0,0x5060001ab1fc) allocated by thread T0 here: #0 0x5597fe2bde4f in malloc /home/kj/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3 #1 0x5597fe3491a9 in objspace_xmalloc0 /home/kj/ruby/build/../gc.c:12605:5 #2 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y #3 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9 #4 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16 #5 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kj/ruby/build/../util.c:538:18 in ruby_strdup Shadow bytes around the buggy address: 0x5060001aaf00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x5060001aaf80: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00 0x5060001ab000: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x5060001ab080: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x5060001ab100: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 =>0x5060001ab180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00[04] 0x5060001ab200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x5060001ab280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5060001ab400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==484771==ABORTING ``` -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/