* [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early
@ 2013-11-26 6:12 nowacki (Maciek Nowacki)
2013-11-26 6:19 ` [ruby-core:58593] " Антонов Александр
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: nowacki (Maciek Nowacki) @ 2013-11-26 6:12 UTC (permalink / raw
To: ruby-core
Issue #9157 has been reported by nowacki (Maciek Nowacki).
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157
Author: nowacki (Maciek Nowacki)
Status: Open
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58593] Re: [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
@ 2013-11-26 6:19 ` Антонов Александр
2013-11-26 7:32 ` [ruby-core:58598] [ruby-trunk - Bug #9157] " nobu (Nobuyoshi Nakada)
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Антонов Александр @ 2013-11-26 6:19 UTC (permalink / raw
To: Ruby developers
[-- Attachment #1: Type: text/plain, Size: 13 bytes --]
unsubscribe
[-- Attachment #2: Type: text/html, Size: 77 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58598] [ruby-trunk - Bug #9157] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
2013-11-26 6:19 ` [ruby-core:58593] " Антонов Александр
@ 2013-11-26 7:32 ` nobu (Nobuyoshi Nakada)
2013-11-26 21:03 ` [ruby-core:58611] " nowacki (Maciek Nowacki)
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: nobu (Nobuyoshi Nakada) @ 2013-11-26 7:32 UTC (permalink / raw
To: ruby-core
Issue #9157 has been updated by nobu (Nobuyoshi Nakada).
Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: DONTNEED, 2.0.0: REQUIRED
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43167
Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58611] [ruby-trunk - Bug #9157] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
2013-11-26 6:19 ` [ruby-core:58593] " Антонов Александр
2013-11-26 7:32 ` [ruby-core:58598] [ruby-trunk - Bug #9157] " nobu (Nobuyoshi Nakada)
@ 2013-11-26 21:03 ` nowacki (Maciek Nowacki)
2013-11-27 17:09 ` [ruby-core:58646] " vpereira (Victor Pereira)
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: nowacki (Maciek Nowacki) @ 2013-11-26 21:03 UTC (permalink / raw
To: ruby-core
Issue #9157 has been updated by nowacki (Maciek Nowacki).
nobu (Nobuyoshi Nakada) wrote:
> This issue was solved with changeset r43853.
Ah, I didn't realize that rb_str_modify_expand() takes a difference as its argument, not the total buffer length. This works because the function doubles the buffer size, which is the same as adding as much buffer capacity as is already present (size before *=2). My proposed fix simply made the problem less obvious. Interesting.
> Maciek, thank you for reporting this issue.
> Your contribution to Ruby is greatly appreciated.
> May Ruby be with you.
>
>
> ----------
> file.c: fix buffer overflow
>
> * file.c (rb_readlink): fix buffer overflow on a long symlink. since
> rb_str_modify_expand() expands from its length but not its capacity,
> need to set the length properly for each expansion.
> [ruby-core:58592] [Bug #9157]
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43179
Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58646] [ruby-trunk - Bug #9157] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
` (2 preceding siblings ...)
2013-11-26 21:03 ` [ruby-core:58611] " nowacki (Maciek Nowacki)
@ 2013-11-27 17:09 ` vpereira (Victor Pereira)
2013-11-29 23:57 ` [ruby-core:58705] " nobu (Nobuyoshi Nakada)
2013-12-02 14:07 ` [ruby-core:58794] " nagachika (Tomoyuki Chikanaga)
5 siblings, 0 replies; 7+ messages in thread
From: vpereira (Victor Pereira) @ 2013-11-27 17:09 UTC (permalink / raw
To: ruby-core
Issue #9157 has been updated by vpereira (Victor Pereira).
does it deserves a CVE?
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43214
Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58705] [ruby-trunk - Bug #9157] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
` (3 preceding siblings ...)
2013-11-27 17:09 ` [ruby-core:58646] " vpereira (Victor Pereira)
@ 2013-11-29 23:57 ` nobu (Nobuyoshi Nakada)
2013-12-02 14:07 ` [ruby-core:58794] " nagachika (Tomoyuki Chikanaga)
5 siblings, 0 replies; 7+ messages in thread
From: nobu (Nobuyoshi Nakada) @ 2013-11-29 23:57 UTC (permalink / raw
To: ruby-core
Issue #9157 has been updated by nobu (Nobuyoshi Nakada).
No, just a usual bug which aborts by local filesystem access.
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43271
Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ruby-core:58794] [ruby-trunk - Bug #9157] rb_readlink() calls rb_str_modify_expand() too early
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
` (4 preceding siblings ...)
2013-11-29 23:57 ` [ruby-core:58705] " nobu (Nobuyoshi Nakada)
@ 2013-12-02 14:07 ` nagachika (Tomoyuki Chikanaga)
5 siblings, 0 replies; 7+ messages in thread
From: nagachika (Tomoyuki Chikanaga) @ 2013-12-02 14:07 UTC (permalink / raw
To: ruby-core
Issue #9157 has been updated by nagachika (Tomoyuki Chikanaga).
Backport changed from 1.9.3: DONTNEED, 2.0.0: REQUIRED to 1.9.3: DONTNEED, 2.0.0: DONE
r43853 was backported to ruby_2_0_0 branch at r43959.
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43363
Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: DONE
If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:
--- - 2013-11-25 22:10:59.694183795 -0700
+++ file.c 2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
|| (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
) {
- rb_str_modify_expand(v, size);
size *= 2;
+ rb_str_modify_expand(v, size);
}
if (rv < 0) {
rb_str_resize(v, 0);
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-12-02 14:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-26 6:12 [ruby-core:58592] [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early nowacki (Maciek Nowacki)
2013-11-26 6:19 ` [ruby-core:58593] " Антонов Александр
2013-11-26 7:32 ` [ruby-core:58598] [ruby-trunk - Bug #9157] " nobu (Nobuyoshi Nakada)
2013-11-26 21:03 ` [ruby-core:58611] " nowacki (Maciek Nowacki)
2013-11-27 17:09 ` [ruby-core:58646] " vpereira (Victor Pereira)
2013-11-29 23:57 ` [ruby-core:58705] " nobu (Nobuyoshi Nakada)
2013-12-02 14:07 ` [ruby-core:58794] " nagachika (Tomoyuki Chikanaga)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).