Project

General

Profile

Actions
Copy link

Bug #10991

closed

SIGSEGV in Marshal.load

Added by mcarpenter (Martin Carpenter) over 9 years ago. Updated over 9 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.2.2p86 (2015-03-03 revision 49825) [x86_64-linux]
Backport:
2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
[ruby-core:<unknown>]

Description

I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be NULL derefs from RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.

Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).

To reproduce from the command line:

ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4

Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).

Files

Marshal.load_crashes.tgz (2.92 KB) Marshal.load_crashes.tgz mcarpenter (Martin Carpenter), 03/21/2015 10:22 AM
Actions
Copy link
 #1

Updated by nobu (Nobuyoshi Nakada) over 9 years ago

  • Description updated (diff)
  • Status changed from Open to Feedback
  • Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED

Are those dumped data generated from real objects, and expected to be loaded successfully?

Actions
Copy link
 #2

Updated by mcarpenter (Martin Carpenter) over 9 years ago

Nobuyoshi Nakada wrote:

Are those dumped data generated from real objects, and expected to be loaded successfully?

Data was not generated from real objects and I would not expect them to load successfully.

I expected eg TypeError:

$ echo quack | ruby -e 'Marshal.load(STDIN)' 
-e:1:in `load': incompatible marshal file format (can't be read) (TypeError)
Actions
Copy link
 #3

Updated by nobu (Nobuyoshi Nakada) over 9 years ago

  • Status changed from Feedback to Closed
  • % Done changed from 0 to 100

Applied in changeset r50057.

marshal.c: register symbol strings first

  • marshal.c (r_symreal): register symbol names as strings first so
    that r_symlink always returns valid names.
    [ruby-core:68587] [Bug #10991]
  • marshal.c (r_ivar, r_object0): now need to intern symbol names.
  • marshal.c (r_object0): compare with symbol names.
Actions
Copy link
 #4 [ruby-core:69339]

Updated by nagachika (Tomoyuki Chikanaga) over 9 years ago

  • Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE

Backported into ruby_2_2 branch at r50632.

Actions
Copy link
 #5 [ruby-core:69411]

Updated by usa (Usaku NAKAMURA) over 9 years ago

  • Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE

At r50667, fixed ruby_2_1 branch.
The branch is quite different from trunk, so only an essential part of r50057 was picked up.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0