* [ruby-core:93207] [Ruby trunk Bug#15934] String#b can lead to memory corruption
[not found] <redmine.issue-15934.20190617195057@ruby-lang.org>
@ 2019-06-17 19:50 ` XrXr
2019-08-07 12:23 ` [ruby-core:94175] [Ruby master " nagachika00
2019-08-26 16:09 ` [ruby-core:94576] " usa
2 siblings, 0 replies; 3+ messages in thread
From: XrXr @ 2019-06-17 19:50 UTC (permalink / raw
To: ruby-core
Issue #15934 has been reported by alanwu (Alan Wu).
----------------------------------------
Bug #15934: String#b can lead to memory corruption
https://bugs.ruby-lang.org/issues/15934
* Author: alanwu (Alan Wu)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
The consequence is usually that `a` gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
```
$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
```
This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.
I have a fix for this: https://github.com/ruby/ruby/pull/2183
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:94175] [Ruby master Bug#15934] String#b can lead to memory corruption
[not found] <redmine.issue-15934.20190617195057@ruby-lang.org>
2019-06-17 19:50 ` [ruby-core:93207] [Ruby trunk Bug#15934] String#b can lead to memory corruption XrXr
@ 2019-08-07 12:23 ` nagachika00
2019-08-26 16:09 ` [ruby-core:94576] " usa
2 siblings, 0 replies; 3+ messages in thread
From: nagachika00 @ 2019-08-07 12:23 UTC (permalink / raw
To: ruby-core
Issue #15934 has been updated by nagachika (Tomoyuki Chikanaga).
Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
ruby_2_6 r67733 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.
----------------------------------------
Bug #15934: String#b can lead to memory corruption
https://bugs.ruby-lang.org/issues/15934#change-80433
* Author: alanwu (Alan Wu)
* Status: Closed
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
----------------------------------------
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
The consequence is usually that `a` gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
```
$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
```
This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.
I have a fix for this: https://github.com/ruby/ruby/pull/2183
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:94576] [Ruby master Bug#15934] String#b can lead to memory corruption
[not found] <redmine.issue-15934.20190617195057@ruby-lang.org>
2019-06-17 19:50 ` [ruby-core:93207] [Ruby trunk Bug#15934] String#b can lead to memory corruption XrXr
2019-08-07 12:23 ` [ruby-core:94175] [Ruby master " nagachika00
@ 2019-08-26 16:09 ` usa
2 siblings, 0 replies; 3+ messages in thread
From: usa @ 2019-08-26 16:09 UTC (permalink / raw
To: ruby-core
Issue #15934 has been updated by usa (Usaku NAKAMURA).
Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
ruby_2_5 r67767 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.
----------------------------------------
Bug #15934: String#b can lead to memory corruption
https://bugs.ruby-lang.org/issues/15934#change-81034
* Author: alanwu (Alan Wu)
* Status: Closed
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
* Backport: 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
----------------------------------------
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
The consequence is usually that `a` gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
```
$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
```
This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.
I have a fix for this: https://github.com/ruby/ruby/pull/2183
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-26 16:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <redmine.issue-15934.20190617195057@ruby-lang.org>
2019-06-17 19:50 ` [ruby-core:93207] [Ruby trunk Bug#15934] String#b can lead to memory corruption XrXr
2019-08-07 12:23 ` [ruby-core:94175] [Ruby master " nagachika00
2019-08-26 16:09 ` [ruby-core:94576] " usa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).