Actions
Bug #12420
closed
Regexp: Segfault due to Invalid Read in regparse.c : bbuf_free()
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
Backport:
Description
A crafted regular expression will cause an invalid 4 byte read on 32-bit Ubuntu 14.04. The regular expression fails to close a character class and has an octal space as the first character in the character class.
grajagandev# cat load-re.rb
File.open(ARGV[0]) do |f|
@re = Regexp.new("/" + File.read(f) + "/")
end
grajagandev# xxd badread-bbuf_free
0000000: 5b5c 3430 3030 3030 3030 3030 30 [\40000000000
grajagandev# ruby -v
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
grajagandev# uname -a
Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
grajagandev# valgrind --max-stackframe=90000000 ruby load-re.rb badread-bbuf_free
==7692== Memcheck, a memory error detector
==7692== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7692== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==7692== Command: ruby load-re.rb badread-bbuf_free
==7692==
==7692== Invalid read of size 4
==7692== at 0x1C02EF: bbuf_free (regparse.c:112)
==7692== by 0x1C13AB: onig_node_free (regparse.c:1079)
==7692== by 0x1CD909: parse_branch (regparse.c:6367)
==7692== by 0x1CD9BD: parse_subexp (regparse.c:6395)
==7692== by 0x1CDB5D: parse_regexp (regparse.c:6443)
==7692== by 0x1CDC80: onig_parse_make_tree (regparse.c:6485)
==7692== by 0x1B27C6: onig_compile (regcomp.c:5739)
==7692== by 0x1A0C20: onig_new_with_source (re.c:849)
==7692== by 0x1A0CA8: make_regexp (re.c:873)
==7692== by 0x1A479D: rb_reg_initialize (re.c:2546)
==7692== by 0x1A4905: rb_reg_initialize_str (re.c:2571)
==7692== by 0x1A5BE3: rb_reg_initialize_m (re.c:3071)
==7692== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==7692==
load-re.rb:2: [BUG] Segmentation fault at 0x000001
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
-- Control frame information -----------------------------------------------
c:0006 p:---- s:0017 e:000016 CFUNC :initialize
c:0005 p:---- s:0015 e:000014 CFUNC :new
c:0004 p:0036 s:0011 e:000010 BLOCK load-re.rb:2 [FINISH]
c:0003 p:---- s:0008 e:000007 CFUNC :open
c:0002 p:0024 s:0004 E:001848 EVAL load-re.rb:1 [FINISH]
c:0001 p:0000 s:0002 E:002708 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
load-re.rb:1:in `<main>'
load-re.rb:1:in `open'
load-re.rb:2:in `block in <main>'
load-re.rb:2:in `new'
load-re.rb:2:in `initialize'
-- Machine register context ------------------------------------------------
GS: 0x0000000b FS: 0x00000000 ES: 0x0000007b DS: 0x0000007b EDI: 0xbe85d260
ESI: 0xbe85d1e8 EBP: 0xbe85d058 ESP: 0xbe85d040 EBX: 0x003ad000 EDX: 0x00000000
ECX: 0x00010000 EAX: 0x00000001 TRA: 0x0000000e ERR: 0x00000004 EIP: 0x001c02ef
CS: 0x00000073 EFL: 0x00000000 UES: 0x00000000 SS: 0x0000007b
-- C level backtrace information -------------------------------------------
/usr/local/bin/ruby(rb_print_backtrace+0x28) [0x25c05f] vm_dump.c:688
/usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0x25c599] vm_dump.c:997
/usr/local/bin/ruby(rb_bug_context+0x7f) [0x2afe4c] error.c:435
/usr/local/bin/ruby(sigsegv+0x5c) [0x1d3bdc] signal.c:890
/lib/i386-linux-gnu/libpthread.so.0 [0x485f1e0]
/usr/local/bin/ruby(bbuf_free+0x1b) [0x1c02ef] regparse.c:112
/usr/local/bin/ruby(onig_node_free+0xe1) [0x1c13ac] regparse.c:1079
/usr/local/bin/ruby(parse_branch+0xe4) [0x1cd90a] regparse.c:6367
/usr/local/bin/ruby(parse_subexp+0x3d) [0x1cd9be] regparse.c:6395
/usr/local/bin/ruby(parse_regexp+0x66) [0x1cdb5e] regparse.c:6443
/usr/local/bin/ruby(onig_parse_make_tree+0x95) [0x1cdc81] regparse.c:6485
/usr/local/bin/ruby(onig_compile+0x114) [0x1b27c7] regcomp.c:5739
/usr/local/bin/ruby(onig_new_with_source+0xa1) [0x1a0c21] re.c:849
/usr/local/bin/ruby(make_regexp+0x60) [0x1a0ca9] re.c:873
/usr/local/bin/ruby(rb_reg_initialize+0x290) [0x1a479e] re.c:2546
/usr/local/bin/ruby(rb_reg_initialize_str+0xee) [0x1a4906] re.c:2571
/usr/local/bin/ruby(rb_reg_initialize_m+0x3c5) [0x1a5be4] re.c:3071
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0x25016b] vm_eval.c:131
/usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0x25022b] vm_eval.c:148
/usr/local/bin/ruby(vm_call0_body+0x156) [0x250383] vm_eval.c:186
/usr/local/bin/ruby(vm_call0+0x58) [0x25001c] vm_eval.c:61
/usr/local/bin/ruby(rb_call0+0xb5) [0x2509ae] vm_eval.c:351
/usr/local/bin/ruby(rb_call+0x4f) [0x25143f] vm_eval.c:637
/usr/local/bin/ruby(rb_funcallv+0x2e) [0x251ada] vm_eval.c:848
/usr/local/bin/ruby(rb_obj_call_init+0x43) [0x1236f0] eval.c:1307
/usr/local/bin/ruby(rb_class_new_instance+0x39) [0x17db0b] object.c:1856
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1f46) [0x248098] insns.def:995
/usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650
/usr/local/bin/ruby(invoke_block+0xbb) [0x255b66] vm.c:921
/usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0x255ede] vm.c:971
/usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0x255f83] vm.c:988
/usr/local/bin/ruby(vm_yield+0x4d) [0x2560bd] vm.c:1023
/usr/local/bin/ruby(rb_yield_0+0x2e) [0x251f10] vm_eval.c:1010
/usr/local/bin/ruby(rb_yield_1+0x19) [0x251f2f] vm_eval.c:1016
/usr/local/bin/ruby(rb_yield+0x2d) [0x251f5e] vm_eval.c:1026
/usr/local/bin/ruby(rb_ensure+0x10f) [0x122810] eval.c:901
/usr/local/bin/ruby(rb_io_s_open+0x5d) [0x1573c0] io.c:6384
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1da6) [0x247ef8] insns.def:964
/usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650
/usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0x25863b] vm.c:1893
/usr/local/bin/ruby(ruby_exec_internal+0x123) [0x121235] eval.c:245
/usr/local/bin/ruby(ruby_exec_node+0x28) [0x121343] eval.c:310
/usr/local/bin/ruby(ruby_run_node+0x38) [0x121311] eval.c:302
/usr/local/bin/ruby(main+0x68) [0x11f0b3] main.c:36
-- Other runtime information -----------------------------------------------
* Loaded script: load-re.rb
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb
7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb
8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb
9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb
10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb
11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb
12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb
13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb
14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb
15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb
16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb
17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb
18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb
20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb
21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb
22 /usr/local/lib/ruby/2.3.0/monitor.rb
23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb
24 /usr/local/lib/ruby/2.3.0/rubygems.rb
25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb
26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb
27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb
28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb
29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb
30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb
31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb
32 /usr/local/lib/ruby/2.3.0/delegate.rb
33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb
38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb
39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb
* Process memory map:
00108000-003aa000 r-xp 00000000 08:07 2498475 /usr/local/bin/ruby
003aa000-003ad000 r--p 002a1000 08:07 2498475 /usr/local/bin/ruby
003ad000-003ae000 rw-p 002a4000 08:07 2498475 /usr/local/bin/ruby
003ae000-003b7000 rw-p 00000000 00:00 0
04000000-04020000 r-xp 00000000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so
04020000-04021000 r--p 0001f000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so
04021000-04022000 rw-p 00020000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so
04022000-04023000 rwxp 00000000 00:00 0
04822000-04824000 rw-p 00000000 00:00 0
04824000-04825000 r-xp 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so
04825000-04826000 r--p 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so
04826000-04827000 rw-p 00001000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so
04827000-04835000 r-xp 00000000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04835000-04836000 r--p 0000d000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04836000-04837000 rw-p 0000e000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04837000-04838000 r--p 00855000 08:07 2105916 /usr/lib/locale/locale-archive
04838000-04839000 ---p 00000000 00:00 0
04839000-0483c000 rw-p 00000000 00:00 0
0483c000-0483e000 r-xp 00000000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
0483e000-0483f000 r--p 00001000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
0483f000-04840000 rw-p 00002000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
04840000-04843000 r-xp 00000000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04843000-04844000 r--p 00002000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04844000-04845000 rw-p 00003000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04845000-0484c000 r-xp 00000000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484c000-0484d000 r--p 00006000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484d000-0484e000 rw-p 00007000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484e000-04850000 rw-p 00000000 00:00 0
04850000-04868000 r-xp 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so
04868000-04869000 r--p 00018000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so
04869000-0486a000 rw-p 00019000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so
0486a000-0486c000 rw-p 00000000 00:00 0
0486c000-0486f000 r-xp 00000000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so
0486f000-04870000 r--p 00002000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so
04870000-04871000 rw-p 00003000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so
04871000-04879000 r-xp 00000000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so
04879000-0487a000 r--p 00008000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so
0487a000-0487b000 rw-p 00009000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so
0487b000-048a2000 rw-p 00000000 00:00 0
048a2000-048e6000 r-xp 00000000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so
048e6000-048e7000 r--p 00043000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so
048e7000-048e8000 rw-p 00044000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so
048e8000-04a90000 r-xp 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so
04a90000-04a92000 r--p 001a8000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so
04a92000-04a93000 rw-p 001aa000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so
04a93000-04a98000 rw-p 00000000 00:00 0
04a98000-04e98000 rwxp 00000000 00:00 0
04e98000-05098000 r--p 00000000 08:07 2105916 /usr/lib/locale/locale-archive
05098000-05898000 rwxp 00000000 00:00 0
058b0000-058cc000 r-xp 00000000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1
058cc000-058cd000 rw-p 0001b000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1
058cd000-05d72000 r--s 00000000 08:07 2498475 /usr/local/bin/ruby
05d72000-05d93000 r--s 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so
05d93000-05e28000 r--s 00000000 08:07 2098869 /usr/lib/debug/lib/i386-linux-gnu/libpthread-2.19.so
05e28000-05fd5000 r--s 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so
38000000-3837a000 r-xp 00000000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux
3837b000-3837d000 rw-p 0037a000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux
3837d000-3946d000 rw-p 00000000 00:00 0
61c31000-628c4000 rwxp 00000000 00:00 0
628c4000-628c6000 ---p 00000000 00:00 0
628c6000-629c6000 rwxp 00000000 00:00 0 [stack:7692]
629c6000-629c8000 ---p 00000000 00:00 0
629c8000-629c9000 rw-s 00000000 08:07 1708958 /tmp/vgdb-pipe-shared-mem-vgdb-7692-by-root-on-???
629c9000-6521f000 rwxp 00000000 00:00 0
65222000-6529a000 rwxp 00000000 00:00 0
6529b000-65397000 rwxp 00000000 00:00 0
65397000-65399000 ---p 00000000 00:00 0
65399000-65499000 rwxp 00000000 00:00 0 [stack:7693]
65499000-6549b000 ---p 00000000 00:00 0
6549b000-655b8000 rwxp 00000000 00:00 0
b77b8000-b77ba000 r--p 00000000 00:00 0 [vvar]
be061000-be860000 rw-p 00000000 00:00 0
bf840000-bf861000 rw-p 00000000 00:00 0
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html
==7692==
==7692== HEAP SUMMARY:
==7692== in use at exit: 2,766,355 bytes in 32,032 blocks
==7692== total heap usage: 52,398 allocs, 20,366 frees, 6,177,813 bytes allocated
==7692==
==7692== LEAK SUMMARY:
==7692== definitely lost: 312 bytes in 3 blocks
==7692== indirectly lost: 3,540 bytes in 70 blocks
==7692== possibly lost: 136 bytes in 1 blocks
==7692== still reachable: 2,762,367 bytes in 31,958 blocks
==7692== suppressed: 0 bytes in 0 blocks
==7692== Rerun with --leak-check=full to see details of leaked memory
==7692==
==7692== For counts of detected and suppressed errors, rerun with: -v
==7692== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Killed
Files
Updated by naruse (Yui NARUSE) almost 8 years ago
- Status changed from Open to Closed
Updated by usa (Usaku NAKAMURA) almost 8 years ago
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN to 2.1: WONTFIX, 2.2: REQUIRED, 2.3: REQUIRED
Updated by usa (Usaku NAKAMURA) almost 8 years ago
- Related to Bug #12423: Regexp: Heap Buffer Overflow in regparse.c : next_state_value() added
Updated by usa (Usaku NAKAMURA) almost 8 years ago
- Backport changed from 2.1: WONTFIX, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: WONTFIX, 2.2: DONE, 2.3: REQUIRED
ruby_2_2 r55363 merged revision(s) 55163,55165.
Updated by nagachika (Tomoyuki Chikanaga) almost 8 years ago
- Backport changed from 2.1: WONTFIX, 2.2: DONE, 2.3: REQUIRED to 2.1: WONTFIX, 2.2: DONE, 2.3: DONE
ruby_2_3 r55458 merged revision(s) 55163,55165.
Actions
Like0
Like0Like0Like0Like0Like0