Bug #14893
Global buffer overflow in signm2signo of signal.c.
Description
Found some memory error with address sanitizer:
==29152==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fb96d91983 at pc 0x7f80615106c6 bp 0x7fff6ee86480 sp 0x7fff6ee85c28
#1 0x55fb96aee1e7 in signm983 thread T0
#0 0x7f80615106c5 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x776c5)
#1 0x55fb96aee1e7 in signm2signo /home/takeshi/dev/ruby/signal.c:262
#2 0x55fb96af0e81 in trap_signm /home/takeshi/dev/ruby/signal.c:1262
#3 0x55fb96af11c6 in sig_trap /home/takeshi/dev/ruby/signal.c:1378
#4 0x55fb96bd36a9 in call_cfunc_m1 /home/takeshi/dev/ruby/vm_insnhelper.c:1739
#5 0x55fb96bd54d4 in vm_call_cfunc_with_frame /home/takeshi/dev/ruby/vm_insnhelper.c:1934
#6 0x55fb96bd581d in vm_call_cfunc /home/takeshi/dev/ruby/vm_insnhelper.c:1950
#7 0x55fb96bd8a57 in vm_call_method_each_type /home/takeshi/dev/ruby/vm_insnhelper.c:2272
#8 0x55fb96bd9c5e in vm_call_method /home/takeshi/dev/ruby/vm_insnhelper.c:2398
#9 0x55fb96bda0ee in vm_call_general /home/takeshi/dev/ruby/vm_insnhelper.c:2441
#10 0x55fb96bea238 in vm_exec_core /home/takeshi/dev/ruby/insns.def:779
#11 0x55fb96c102cd in vm_exec /home/takeshi/dev/ruby/vm.c:1807
#12 0x55fb96c126c8 in rb_iseq_eval_main /home/takeshi/dev/ruby/vm.c:2066
#13 0x55fb968bca15 in ruby_exec_internal /home/takeshi/dev/ruby/eval.c:261
#14 0x55fb968bcd58 in ruby_exec_node /home/takeshi/dev/ruby/eval.c:325
#15 0x55fb968bccdc in ruby_run_node /home/takeshi/dev/ruby/eval.c:317
#16 0x55fb968b7018 in main main.c:42
#17 0x7f806050d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x55fb968b6e18 in _start (/home/takeshi/dev/ruby/ruby+0xd1e18)
Seems like strlen(sigs->signm) may be shorter than len - prefix in some cases.
Made PR too for CI: https://github.com/ruby/ruby/pull/1904
Files
Associated revisions
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
reapply r63841 and r63842, which are unrelated to r63758 but had been
wrongly reverted by r63852.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63854 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
reapply r63841 and r63842, which are unrelated to r63758 but had been
wrongly reverted by r63852.
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
reapply r63841 and r63842, which are unrelated to r63758 but had been
wrongly reverted by r63852.
History
Updated by
Updated by nobu (Nobuyoshi Nakada) over 1 year ago
Updated by - Status changed from Open to Closed
Applied in changeset trunk|r63841.
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
signal.c: packed signals
signal.c (signals): pack signal names instead of references.
signal.c (signm2signo): also reject too long signal name.
[ruby-core:87767] [Bug #14893]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63841 b2dd03c8-39d4-4d8f-98ff-823fe69b080e