Project

General

Profile

Bug #13234

Infinite recursion (stack overflow) in parse_char_class()

Added by fumfel (Kamil Frankowicz) 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:79624]

Description

After some fuzz testing I found a crashing test case.

Git HEAD: fbd5cda6aad6db01bbca3d893a9970314a1bd52c

To reproduce: miniruby ruby_so_parse_char_class

Error log: bug-13234.log

ruby_so_parse_char_class - POC to trigger stack overflow (miniruby) (4 KB) fumfel (Kamil Frankowicz), 02/20/2017 07:38 AM

bug-13234.log View (82.3 KB) nobu (Nobuyoshi Nakada), 02/20/2017 10:41 AM

Associated revisions

Revision 57660
Added by nobu (Nobuyoshi Nakada) 3 months ago

regparse.c: initialize return values

  • regparse.c (parse_char_class): initialize return values before depth limit check. returned values will be freed in callers regardless the error. [Bug #13234]

Revision 57909
Added by naruse (Yui NARUSE) 3 months ago

merge revision(s) 57660: [Backport #13234]

regparse.c: initialize return values

* regparse.c (parse_char_class): initialize return values before
  depth limit check.  returned values will be freed in callers
  regardless the error.   [Bug #13234]

History

#1 [ruby-core:79626] Updated by shyouhei (Shyouhei Urabe) 3 months ago

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

#2 Updated by nobu (Nobuyoshi Nakada) 3 months ago

  • Status changed from Open to Closed

Applied in changeset r57660.


regparse.c: initialize return values

  • regparse.c (parse_char_class): initialize return values before depth limit check. returned values will be freed in callers regardless the error. [Bug #13234]

#3 [ruby-core:79627] Updated by nobu (Nobuyoshi Nakada) 3 months ago

  • Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
  • Description updated (diff)
  • File bug-13234.log View added

#4 [ruby-core:79630] Updated by fumfel (Kamil Frankowicz) 3 months ago

Shyouhei Urabe wrote:

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

I fuzz ruby (in this case miniruby binary) with American Fuzzy Lop fuzzer (http://lcamtuf.coredump.cx/afl/). My testing corpus contains files from various open source projects written in ruby. It's all :-)

#5 [ruby-core:79678] Updated by fumfel (Kamil Frankowicz) 3 months ago

This is CVE-2017-6181.

#6 [ruby-core:79682] Updated by shyouhei (Shyouhei Urabe) 3 months ago

Thank you again for the useful information. Will consider using the fuzzer and hopefully integrate into our test suite if possible/allowed.

#7 [ruby-core:80056] Updated by naruse (Yui NARUSE) 3 months ago

  • Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE

ruby_2_4 r57909 merged revision(s) 57660.

Also available in: Atom PDF