Bug #12390
Updated by shyouhei (Shyouhei Urabe) about 8 years ago
A heap buffer overflow occurs when marshal loading (un-marshaling) crafted data on 32-bit Ubuntu 14.04. It appears that a string length indicated by the marshaled data of 0x7fffffff triggers the overflow. It causes ruby to expect an embedded string of length RSTRING_EMBED_LEN_MAX which is 11 on 32 bit. This may be related to issue #12195. ~~~ ~/ruby-serial# cat load.rb File.open(ARGV[0]) do |f| @gc = Marshal.load(f) end ~/ruby-serial# xxd marshal-overflow 0000000: 0408 3afc ffff ff7f 3030 3030 3030 3030 ..:.....00000000 0000010: 3030 3030 ~/ruby-serial# ruby -v ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] root@x-Acer:~/ruby-serial# uname -a Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux ~/ruby-serial# ruby load.rb marshal-overflow load.rb:3: [BUG] probable buffer overflow: 12 for 11 ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] -- Control frame information ----------------------------------------------- c:0006 p:---- s:0017 e:000016 CFUNC :read c:0005 p:---- s:0015 e:000014 CFUNC :load c:0004 p:0016 s:0011 e:000010 BLOCK load.rb:3 [FINISH] c:0003 p:---- s:0008 e:000007 CFUNC :open c:0002 p:0024 s:0004 E:ffffea28 EVAL load.rb:2 [FINISH] c:0001 p:0000 s:0002 E:ffffe310 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- load.rb:2:in `<main>' load.rb:2:in `open' load.rb:3:in `block in <main>' load.rb:3:in `load' load.rb:3:in `read' -- C level backtrace information ------------------------------------------- /usr/local/bin/ruby(rb_print_backtrace+0x28) [0xb75eb05f] vm_dump.c:688 /usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0xb75eb599] vm_dump.c:997 /usr/local/bin/ruby(rb_bug+0x80) [0xb763edbd] error.c:420 /usr/local/bin/ruby(rb_str_set_len+0x94) [0xb7574609] string.c:2335 /usr/local/bin/ruby(io_set_read_length+0x55) [0xb74decfa] io.c:2382 /usr/local/bin/ruby(io_read+0x16c) [0xb74df8f9] io.c:2826 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0xb75df16b] vm_eval.c:131 /usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0xb75df22b] vm_eval.c:148 /usr/local/bin/ruby(vm_call0_body+0x156) [0xb75df383] vm_eval.c:186 /usr/local/bin/ruby(vm_call0+0x58) [0xb75df01c] vm_eval.c:61 /usr/local/bin/ruby(rb_call0+0xb5) [0xb75df9ae] vm_eval.c:351 /usr/local/bin/ruby(rb_call+0x4f) [0xb75e043f] vm_eval.c:637 /usr/local/bin/ruby(rb_funcallv+0x2e) [0xb75e0ada] vm_eval.c:848 /usr/local/bin/ruby(r_bytes1+0x46) [0xb74f45b7] marshal.c:1223 /usr/local/bin/ruby(r_bytes0+0x129) [0xb74f49d0] marshal.c:1299 /usr/local/bin/ruby(r_symreal+0x2c) [0xb74f4b57] marshal.c:1342 /usr/local/bin/ruby(r_object0+0x1655) [0xb74f6965] marshal.c:1954 /usr/local/bin/ruby(r_object+0x21) [0xb74f6a2f] marshal.c:1979 /usr/local/bin/ruby(rb_marshal_load_with_proc+0x23b) [0xb74f6d77] marshal.c:2078 /usr/local/bin/ruby(marshal_load+0x53) [0xb74f6b3a] marshal.c:2025 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0xb75d2b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0xb75d2c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0xb75d382d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0xb75d3ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0xb75d40a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1f46) [0xb75d7098] insns.def:995 /usr/local/bin/ruby(vm_exec+0xd2) [0xb75e6b8e] vm.c:1650 /usr/local/bin/ruby(invoke_block+0xbb) [0xb75e4b66] vm.c:921 /usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0xb75e4ede] vm.c:971 /usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0xb75e4f83] vm.c:988 /usr/local/bin/ruby(vm_yield+0x4d) [0xb75e50bd] vm.c:1023 /usr/local/bin/ruby(rb_yield_0+0x2e) [0xb75e0f10] vm_eval.c:1010 /usr/local/bin/ruby(rb_yield_1+0x19) [0xb75e0f2f] vm_eval.c:1016 /usr/local/bin/ruby(rb_yield+0x2d) [0xb75e0f5e] vm_eval.c:1026 /usr/local/bin/ruby(rb_ensure+0x10f) [0xb74b1810] eval.c:901 /usr/local/bin/ruby(rb_io_s_open+0x5d) [0xb74e63c0] io.c:6384 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0xb75d2b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0xb75d2c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0xb75d382d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0xb75d3ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0xb75d40a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1da6) [0xb75d6ef8] insns.def:964 /usr/local/bin/ruby(vm_exec+0xd2) [0xb75e6b8e] vm.c:1650 /usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0xb75e763b] vm.c:1893 /usr/local/bin/ruby(ruby_exec_internal+0x123) [0xb74b0235] eval.c:245 /usr/local/bin/ruby(ruby_exec_node+0x28) [0xb74b0343] eval.c:310 /usr/local/bin/ruby(ruby_run_node+0x38) [0xb74b0311] eval.c:302 /usr/local/bin/ruby(main+0x68) [0xb74ae0b3] main.c:36 -- Other runtime information ----------------------------------------------- * Loaded script: load.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so 4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb 7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb 8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb 9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb 10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb 11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb 12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb 13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb 14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb 15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb 16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb 17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb 18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb 20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb 21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb 22 /usr/local/lib/ruby/2.3.0/monitor.rb 23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb 24 /usr/local/lib/ruby/2.3.0/rubygems.rb 25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb 26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb 27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb 28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb 29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb 30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb 31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb 32 /usr/local/lib/ruby/2.3.0/delegate.rb 33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb 34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb 35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb 36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb 37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb 38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb 39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb * Process memory map: b6906000-b6ab3000 r--s 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so b6ab3000-b6f58000 r--s 00000000 08:07 2504406 /usr/local/bin/ruby b6f58000-b6f74000 r-xp 00000000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 b6f74000-b6f75000 rw-p 0001b000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 b6f8d000-b700e000 rw-p 00000000 00:00 0 b700e000-b720e000 r--p 00000000 08:07 2105916 /usr/lib/locale/locale-archive b720e000-b7210000 rw-p 00000000 00:00 0 b7210000-b73b8000 r-xp 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so b73b8000-b73ba000 r--p 001a8000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so b73ba000-b73bb000 rw-p 001aa000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so b73bb000-b73be000 rw-p 00000000 00:00 0 b73be000-b7402000 r-xp 00000000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so b7402000-b7403000 r--p 00043000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so b7403000-b7404000 rw-p 00044000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so b7404000-b740c000 r-xp 00000000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so b740c000-b740d000 r--p 00008000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so b740d000-b740e000 rw-p 00009000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so b740e000-b7436000 rw-p 00000000 00:00 0 b7436000-b7439000 r-xp 00000000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so b7439000-b743a000 r--p 00002000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so b743a000-b743b000 rw-p 00003000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so b743b000-b7453000 r-xp 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so b7453000-b7454000 r--p 00018000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so b7454000-b7455000 rw-p 00019000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so b7455000-b7458000 rw-p 00000000 00:00 0 b7458000-b745f000 r-xp 00000000 08:07 2504421 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so b745f000-b7460000 r--p 00006000 08:07 2504421 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so b7460000-b7461000 rw-p 00007000 08:07 2504421 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so b7461000-b7464000 r-xp 00000000 08:07 2769778 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so b7464000-b7465000 r--p 00002000 08:07 2769778 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so b7465000-b7466000 rw-p 00003000 08:07 2769778 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so b7466000-b7468000 r-xp 00000000 08:07 2634271 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so b7468000-b7469000 r--p 00001000 08:07 2634271 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so b7469000-b746a000 rw-p 00002000 08:07 2634271 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so b746a000-b746b000 ---p 00000000 00:00 0 b746b000-b746e000 rw-p 00000000 00:00 0 [stack:931] b746e000-b746f000 r--p 00855000 08:07 2105916 /usr/lib/locale/locale-archive b746f000-b7471000 rw-p 00000000 00:00 0 b7471000-b7473000 r--p 00000000 00:00 0 [vvar] b7473000-b7475000 r-xp 00000000 00:00 0 [vdso] b7475000-b7495000 r-xp 00000000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so b7495000-b7496000 r--p 0001f000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so b7496000-b7497000 rw-p 00020000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so b7497000-b7739000 r-xp 00000000 08:07 2504406 /usr/local/bin/ruby b7739000-b773c000 r--p 002a1000 08:07 2504406 /usr/local/bin/ruby b773c000-b773d000 rw-p 002a4000 08:07 2504406 /usr/local/bin/ruby b773d000-b7746000 rw-p 00000000 00:00 0 b8b8c000-b8e02000 rw-p 00000000 00:00 0 [heap] bf4df000-bfcde000 rw-p 00000000 00:00 0 [stack] [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html Aborted (core dumped) Please let me know if you need any more information. ~~~