Bug #10991
closedSIGSEGV in Marshal.load
Description
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be NULL
derefs from RSTRING_PTR()
(I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.
Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).
To reproduce from the command line:
ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4
Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).
Files
Updated by nobu (Nobuyoshi Nakada) almost 10 years ago
- Description updated (diff)
- Status changed from Open to Feedback
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED
Are those dumped data generated from real objects, and expected to be loaded successfully?
Updated by mcarpenter (Martin Carpenter) almost 10 years ago
Nobuyoshi Nakada wrote:
Are those dumped data generated from real objects, and expected to be loaded successfully?
Data was not generated from real objects and I would not expect them to load successfully.
I expected eg TypeError:
$ echo quack | ruby -e 'Marshal.load(STDIN)'
-e:1:in `load': incompatible marshal file format (can't be read) (TypeError)
Updated by nobu (Nobuyoshi Nakada) almost 10 years ago
- Status changed from Feedback to Closed
- % Done changed from 0 to 100
Applied in changeset r50057.
marshal.c: register symbol strings first
- marshal.c (r_symreal): register symbol names as strings first so
that r_symlink always returns valid names.
[ruby-core:68587] [Bug #10991] - marshal.c (r_ivar, r_object0): now need to intern symbol names.
- marshal.c (r_object0): compare with symbol names.
Updated by nagachika (Tomoyuki Chikanaga) over 9 years ago
- Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE
Backported into ruby_2_2
branch at r50632.
Updated by usa (Usaku NAKAMURA) over 9 years ago
- Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
At r50667, fixed ruby_2_1
branch.
The branch is quite different from trunk, so only an essential part of r50057 was picked up.