Bug #14893
Global buffer overflow in signm2signo of signal.c.
Description
Found some memory error with address sanitizer:
==29152==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fb96d91983 at pc 0x7f80615106c6 bp 0x7fff6ee86480 sp 0x7fff6ee85c28 #1 0x55fb96aee1e7 in signm983 thread T0 #0 0x7f80615106c5 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x776c5) #1 0x55fb96aee1e7 in signm2signo /home/takeshi/dev/ruby/signal.c:262 #2 0x55fb96af0e81 in trap_signm /home/takeshi/dev/ruby/signal.c:1262 #3 0x55fb96af11c6 in sig_trap /home/takeshi/dev/ruby/signal.c:1378 #4 0x55fb96bd36a9 in call_cfunc_m1 /home/takeshi/dev/ruby/vm_insnhelper.c:1739 #5 0x55fb96bd54d4 in vm_call_cfunc_with_frame /home/takeshi/dev/ruby/vm_insnhelper.c:1934 #6 0x55fb96bd581d in vm_call_cfunc /home/takeshi/dev/ruby/vm_insnhelper.c:1950 #7 0x55fb96bd8a57 in vm_call_method_each_type /home/takeshi/dev/ruby/vm_insnhelper.c:2272 #8 0x55fb96bd9c5e in vm_call_method /home/takeshi/dev/ruby/vm_insnhelper.c:2398 #9 0x55fb96bda0ee in vm_call_general /home/takeshi/dev/ruby/vm_insnhelper.c:2441 #10 0x55fb96bea238 in vm_exec_core /home/takeshi/dev/ruby/insns.def:779 #11 0x55fb96c102cd in vm_exec /home/takeshi/dev/ruby/vm.c:1807 #12 0x55fb96c126c8 in rb_iseq_eval_main /home/takeshi/dev/ruby/vm.c:2066 #13 0x55fb968bca15 in ruby_exec_internal /home/takeshi/dev/ruby/eval.c:261 #14 0x55fb968bcd58 in ruby_exec_node /home/takeshi/dev/ruby/eval.c:325 #15 0x55fb968bccdc in ruby_run_node /home/takeshi/dev/ruby/eval.c:317 #16 0x55fb968b7018 in main main.c:42 #17 0x7f806050d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x55fb968b6e18 in _start (/home/takeshi/dev/ruby/ruby+0xd1e18)
Seems like strlen(sigs->signm)
may be shorter than len - prefix
in some cases.
Made PR too for CI: https://github.com/ruby/ruby/pull/1904
Files
Updated by nobu (Nobuyoshi Nakada) over 2 years ago
- Status changed from Open to Closed
Applied in changeset trunk|r63841.
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]