Bug #10991
closed
Added by mcarpenter (Martin Carpenter) over 9 years ago.
Updated over 9 years ago.
ruby -v:
ruby 2.2.2p86 (2015-03-03 revision 49825) [x86_64-linux]
[ruby-core:<unknown>]
Description
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be NULL derefs from RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.
Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).
To reproduce from the command line:
ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4
Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).
Files
- Description updated (diff)
- Status changed from Open to Feedback
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED
Are those dumped data generated from real objects, and expected to be loaded successfully?
Nobuyoshi Nakada wrote:
Are those dumped data generated from real objects, and expected to be loaded successfully?
Data was not generated from real objects and I would not expect them to load successfully.
I expected eg TypeError:
$ echo quack | ruby -e 'Marshal.load(STDIN)'
-e:1:in `load': incompatible marshal file format (can't be read) (TypeError)
- Status changed from Feedback to Closed
- % Done changed from 0 to 100
Applied in changeset r50057.
marshal.c: register symbol strings first
- marshal.c (r_symreal): register symbol names as strings first so
that r_symlink always returns valid names.
[ruby-core:68587] [Bug #10991]
- marshal.c (r_ivar, r_object0): now need to intern symbol names.
- marshal.c (r_object0): compare with symbol names.
- Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE
Backported into ruby_2_2 branch at r50632.
- Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
At r50667, fixed ruby_2_1 branch.
The branch is quite different from trunk, so only an essential part of r50057 was picked up.
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0
Updated by 
Updated by 
Updated by 
Updated by