Project

General

Profile

Bug #12390

Heap Buffer Overflow in Marshal Load on 32-bit

Added by grajagandev (David Moore) about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
[ruby-core:75592]

Description

A heap buffer overflow occurs when marshal loading (un-marshaling) crafted data on 32-bit Ubuntu 14.04.

It appears that a string length indicated by the marshaled data of 0x7fffffff triggers the overflow. It causes ruby to expect an embedded string of length RSTRING_EMBED_LEN_MAX which is 11 on 32 bit. This may be related to issue #12195.

~/ruby-serial# cat load.rb 
File.open(ARGV[0]) do |f|
  @gc = Marshal.load(f)
end
~/ruby-serial# xxd marshal-overflow
0000000: 0408 3afc ffff ff7f 3030 3030 3030 3030  ..:.....00000000
0000010: 3030 3030
~/ruby-serial# ruby -v
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
root@x-Acer:~/ruby-serial# uname -a
Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

~/ruby-serial# ruby load.rb marshal-overflow 
load.rb:3: [BUG] probable buffer overflow: 12 for 11
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]

-- Control frame information -----------------------------------------------
c:0006 p:---- s:0017 e:000016 CFUNC  :read
c:0005 p:---- s:0015 e:000014 CFUNC  :load
c:0004 p:0016 s:0011 e:000010 BLOCK  load.rb:3 [FINISH]
c:0003 p:---- s:0008 e:000007 CFUNC  :open
c:0002 p:0024 s:0004 E:ffffea28 EVAL   load.rb:2 [FINISH]
c:0001 p:0000 s:0002 E:ffffe310 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
load.rb:2:in `<main>'
load.rb:2:in `open'
load.rb:3:in `block in <main>'
load.rb:3:in `load'
load.rb:3:in `read'

-- C level backtrace information -------------------------------------------
/usr/local/bin/ruby(rb_print_backtrace+0x28) [0xb75eb05f] vm_dump.c:688
/usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0xb75eb599] vm_dump.c:997
/usr/local/bin/ruby(rb_bug+0x80) [0xb763edbd] error.c:420
/usr/local/bin/ruby(rb_str_set_len+0x94) [0xb7574609] string.c:2335
/usr/local/bin/ruby(io_set_read_length+0x55) [0xb74decfa] io.c:2382
/usr/local/bin/ruby(io_read+0x16c) [0xb74df8f9] io.c:2826
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0xb75df16b] vm_eval.c:131
/usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0xb75df22b] vm_eval.c:148
/usr/local/bin/ruby(vm_call0_body+0x156) [0xb75df383] vm_eval.c:186
/usr/local/bin/ruby(vm_call0+0x58) [0xb75df01c] vm_eval.c:61
/usr/local/bin/ruby(rb_call0+0xb5) [0xb75df9ae] vm_eval.c:351
/usr/local/bin/ruby(rb_call+0x4f) [0xb75e043f] vm_eval.c:637
/usr/local/bin/ruby(rb_funcallv+0x2e) [0xb75e0ada] vm_eval.c:848
/usr/local/bin/ruby(r_bytes1+0x46) [0xb74f45b7] marshal.c:1223
/usr/local/bin/ruby(r_bytes0+0x129) [0xb74f49d0] marshal.c:1299
/usr/local/bin/ruby(r_symreal+0x2c) [0xb74f4b57] marshal.c:1342
/usr/local/bin/ruby(r_object0+0x1655) [0xb74f6965] marshal.c:1954
/usr/local/bin/ruby(r_object+0x21) [0xb74f6a2f] marshal.c:1979
/usr/local/bin/ruby(rb_marshal_load_with_proc+0x23b) [0xb74f6d77] marshal.c:2078
/usr/local/bin/ruby(marshal_load+0x53) [0xb74f6b3a] marshal.c:2025
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0xb75d2b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0xb75d2c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0xb75d382d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0xb75d3ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0xb75d40a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1f46) [0xb75d7098] insns.def:995
/usr/local/bin/ruby(vm_exec+0xd2) [0xb75e6b8e] vm.c:1650
/usr/local/bin/ruby(invoke_block+0xbb) [0xb75e4b66] vm.c:921
/usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0xb75e4ede] vm.c:971
/usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0xb75e4f83] vm.c:988
/usr/local/bin/ruby(vm_yield+0x4d) [0xb75e50bd] vm.c:1023
/usr/local/bin/ruby(rb_yield_0+0x2e) [0xb75e0f10] vm_eval.c:1010
/usr/local/bin/ruby(rb_yield_1+0x19) [0xb75e0f2f] vm_eval.c:1016
/usr/local/bin/ruby(rb_yield+0x2d) [0xb75e0f5e] vm_eval.c:1026
/usr/local/bin/ruby(rb_ensure+0x10f) [0xb74b1810] eval.c:901
/usr/local/bin/ruby(rb_io_s_open+0x5d) [0xb74e63c0] io.c:6384
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0xb75d2160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0xb75d2b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0xb75d2c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0xb75d382d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0xb75d3ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0xb75d40a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1da6) [0xb75d6ef8] insns.def:964
/usr/local/bin/ruby(vm_exec+0xd2) [0xb75e6b8e] vm.c:1650
/usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0xb75e763b] vm.c:1893
/usr/local/bin/ruby(ruby_exec_internal+0x123) [0xb74b0235] eval.c:245
/usr/local/bin/ruby(ruby_exec_node+0x28) [0xb74b0343] eval.c:310
/usr/local/bin/ruby(ruby_run_node+0x38) [0xb74b0311] eval.c:302
/usr/local/bin/ruby(main+0x68) [0xb74ae0b3] main.c:36

-- Other runtime information -----------------------------------------------

* Loaded script: load.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
    5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
    6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb
    7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb
    8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb
    9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb
   10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb
   11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb
   12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb
   13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb
   14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb
   15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb
   16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb
   17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb
   18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
   19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb
   20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb
   21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb
   22 /usr/local/lib/ruby/2.3.0/monitor.rb
   23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb
   24 /usr/local/lib/ruby/2.3.0/rubygems.rb
   25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb
   26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb
   27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb
   28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb
   29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb
   30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb
   31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb
   32 /usr/local/lib/ruby/2.3.0/delegate.rb
   33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb
   38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb
   39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb

* Process memory map:

b6906000-b6ab3000 r--s 00000000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
b6ab3000-b6f58000 r--s 00000000 08:07 2504406    /usr/local/bin/ruby
b6f58000-b6f74000 r-xp 00000000 08:07 917533     /lib/i386-linux-gnu/libgcc_s.so.1
b6f74000-b6f75000 rw-p 0001b000 08:07 917533     /lib/i386-linux-gnu/libgcc_s.so.1
b6f8d000-b700e000 rw-p 00000000 00:00 0 
b700e000-b720e000 r--p 00000000 08:07 2105916    /usr/lib/locale/locale-archive
b720e000-b7210000 rw-p 00000000 00:00 0 
b7210000-b73b8000 r-xp 00000000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
b73b8000-b73ba000 r--p 001a8000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
b73ba000-b73bb000 rw-p 001aa000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
b73bb000-b73be000 rw-p 00000000 00:00 0 
b73be000-b7402000 r-xp 00000000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
b7402000-b7403000 r--p 00043000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
b7403000-b7404000 rw-p 00044000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
b7404000-b740c000 r-xp 00000000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
b740c000-b740d000 r--p 00008000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
b740d000-b740e000 rw-p 00009000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
b740e000-b7436000 rw-p 00000000 00:00 0 
b7436000-b7439000 r-xp 00000000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
b7439000-b743a000 r--p 00002000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
b743a000-b743b000 rw-p 00003000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
b743b000-b7453000 r-xp 00000000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
b7453000-b7454000 r--p 00018000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
b7454000-b7455000 rw-p 00019000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
b7455000-b7458000 rw-p 00000000 00:00 0 
b7458000-b745f000 r-xp 00000000 08:07 2504421    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
b745f000-b7460000 r--p 00006000 08:07 2504421    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
b7460000-b7461000 rw-p 00007000 08:07 2504421    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
b7461000-b7464000 r-xp 00000000 08:07 2769778    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
b7464000-b7465000 r--p 00002000 08:07 2769778    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
b7465000-b7466000 rw-p 00003000 08:07 2769778    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
b7466000-b7468000 r-xp 00000000 08:07 2634271    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
b7468000-b7469000 r--p 00001000 08:07 2634271    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
b7469000-b746a000 rw-p 00002000 08:07 2634271    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
b746a000-b746b000 ---p 00000000 00:00 0 
b746b000-b746e000 rw-p 00000000 00:00 0          [stack:931]
b746e000-b746f000 r--p 00855000 08:07 2105916    /usr/lib/locale/locale-archive
b746f000-b7471000 rw-p 00000000 00:00 0 
b7471000-b7473000 r--p 00000000 00:00 0          [vvar]
b7473000-b7475000 r-xp 00000000 00:00 0          [vdso]
b7475000-b7495000 r-xp 00000000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
b7495000-b7496000 r--p 0001f000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
b7496000-b7497000 rw-p 00020000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
b7497000-b7739000 r-xp 00000000 08:07 2504406    /usr/local/bin/ruby
b7739000-b773c000 r--p 002a1000 08:07 2504406    /usr/local/bin/ruby
b773c000-b773d000 rw-p 002a4000 08:07 2504406    /usr/local/bin/ruby
b773d000-b7746000 rw-p 00000000 00:00 0 
b8b8c000-b8e02000 rw-p 00000000 00:00 0          [heap]
bf4df000-bfcde000 rw-p 00000000 00:00 0          [stack]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

Aborted (core dumped)

Please let me know if you need any more information.

Files

load.rb (60 Bytes) load.rb grajagandev (David Moore), 05/18/2016 03:22 AM
marshal-overflow (20 Bytes) marshal-overflow grajagandev (David Moore), 05/18/2016 03:22 AM

Updated by shyouhei (Shyouhei Urabe) about 4 years ago

  • Description updated (diff)
#2

Updated by nobu (Nobuyoshi Nakada) about 4 years ago

  • Status changed from Open to Closed

Applied in changeset r55054.


string.c: integer overflow

  • string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390]

Updated by nobu (Nobuyoshi Nakada) about 4 years ago

  • Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED

Updated by usa (Usaku NAKAMURA) about 4 years ago

  • Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED

ruby_2_2 r55352 merged revision(s) 55054.

Updated by nagachika (Tomoyuki Chikanaga) about 4 years ago

  • Backport changed from 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE

ruby_2_3 r55426 merged revision(s) 55054.

Also available in: Atom PDF