Project

General

Profile

Bug #15248

Segfault/memory corruption in vm.c:1946

Added by bannable (Joe Truba) 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux]
[ruby-core:89539]

Description

Reproducer:

$ xxd ../repro3
00000000: 2557 0024 7f54 0020 7c7c 6e54 5a20 7768  %W.$.T. ||nTZ wh
00000010: 696c 6523 4054 456d 6520 7e6f 5b0a 0a0a  ile#@TEme ~o[...
00000020: 0a0a 0a0a 0a69 3d31                      .....i=1
$ 

ASAN report:

$ ./ruby ../repro3
../repro3:9: warning: found `= literal' in conditional, should be ==
AddressSanitizer:DEADLYSIGNAL
=================================================================
==34510==ERROR: AddressSanitizer: SEGV on unknown address 0x62d000d100c8 (pc 0x62d000d100c8 bp 0x7ffe837b9f30 sp 0x7ffe837b9860 T0)
==34510==The signal is caused by a READ memory access.
==34510==Hint: PC is at a non-executable region. Maybe a wild jump?
    #0 0x62d000d100c7  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==34510==ABORTING

Crash dump + valgrind report:

==47623== Memcheck, a memory error detector
==47623== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==47623== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==47623== Command: ./ruby ../repro3
==47623==
../repro3:9: warning: found `= literal' in conditional, should be ==
vex amd64->IR: unhandled instruction bytes: 0xFB 0x9A 0x6 0x0 0x0 0x0 0x0 0x24 0x7F 0x54
vex amd64->IR:   REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=0
==47623== Invalid read of size 1
==47623==    at 0x771610D: ???
==47623==    by 0x1586AB2C116464FF: ???
==47623==    by 0x69443B7: ???
==47623==    by 0x690282F: ???
==47623==    by 0x6802237: ???
==47623==    by 0x1586AB2C116464FF: ???
==47623==    by 0x3964EA: rb_obj_freeze_inline (ruby.h:1342)
==47623==    by 0x3964EA: str_new_frozen (string.c:1296)
==47623==    by 0x1FFEFFF5E7: ???
==47623==    by 0x1586AB2C116464FF: ???
==47623==    by 0x3964EA: rb_obj_freeze_inline (ruby.h:1342)
==47623==    by 0x3964EA: str_new_frozen (string.c:1296)
==47623==    by 0x6944227: ???
==47623==    by 0x911A8F: ??? (in /home/jtruba/rubies/ruby-trunk/ruby)
==47623==  Address 0x5fca is not stack'd, malloc'd or (recently) free'd
==47623==
../repro3:1: [BUG] Segmentation fault at 0x0000000000005fca
ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0002 p:0008 s:428689 E:000f78 EVAL   ../repro3:1 [FINISH]
c:0001 p:0000 s:0003 E:001d80 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
../repro3:1:in `<main>'

-- Machine register context ------------------------------------------------
 RIP: 0x000000000771610d RBP: 0x00000000009235d0 RSP: 0x0000001ffefff430
 RAX: 0x0000000000005fca RBX: 0xfffffffffffffff8 RCX: 0x00000000009235d0
 RDX: 0x0000000006b47d28 RDI: 0x00000000069afb18 RSI: 0x0000000006902830
  R8: 0x0000000000000000  R9: 0x0000000006801f90 R10: 0xfffffffffffffffc
 R11: 0x0000000000911a90 R12: 0xfffffffffffffffc R13: 0x0000000006b47d20
 R14: 0x0000000006802238 R15: 0x0000000006802238 EFL: 0x0000000000000084

-- C level backtrace information -------------------------------------------
./ruby(0x61c7c0) [0x61c7c0]
/home/jtruba/rubies/ruby-trunk/ruby(rb_vm_bugreport) vm_dump.c:985
/home/jtruba/rubies/ruby-trunk/ruby(bug_report_end+0x0) [0x5f77a0] error.c:34384
/home/jtruba/rubies/ruby-trunk/ruby(rb_bug_context) error.c:610
./ruby(0x37525f) [0x37525f]
/lib/x86_64-linux-gnu/libpthread.so.0(__restore_rt+0x0) [0x4e43890] ../nptl/sysdeps/pthread/funlockfile.c:29
[0x771610d]

-- Other runtime information -----------------------------------------------

* Loaded script: ../repro3

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
    5 /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so

* Process memory map:

00108000-0070d000 r-xp 00000000 103:00 78003143                          /home/jtruba/rubies/ruby-trunk/ruby
0090c000-00912000 rw-p 00604000 103:00 78003143                          /home/jtruba/rubies/ruby-trunk/ruby
00912000-00934000 rw-p 00000000 00:00 0
04000000-04021000 r-xp 00000000 103:03 786452                            /lib/x86_64-linux-gnu/ld-2.19.so
04021000-04024000 rw-p 00000000 00:00 0
04024000-04025000 rw-p 00000000 00:00 0
04035000-0403a000 rw-p 00000000 00:00 0
0403a000-041c3000 r--p 00000000 103:03 283083                            /usr/lib/locale/locale-archive
041c3000-041e5000 r--s 00000000 103:03 786451                            /lib/x86_64-linux-gnu/libpthread-2.19.so
04220000-04221000 r--p 00020000 103:03 786452                            /lib/x86_64-linux-gnu/ld-2.19.so
04221000-04222000 rw-p 00021000 103:03 786452                            /lib/x86_64-linux-gnu/ld-2.19.so
04222000-04223000 rw-p 00000000 00:00 0
04223000-04224000 rwxp 00000000 00:00 0
04a23000-04a24000 r-xp 00000000 103:00 119946210                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_core-amd64-linux.so
04a24000-04c23000 ---p 00001000 103:00 119946210                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_core-amd64-linux.so
04c23000-04c24000 rw-p 00000000 103:00 119946210                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_core-amd64-linux.so
04c24000-04c34000 r-xp 00000000 103:00 119946318                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c34000-04e33000 ---p 00010000 103:00 119946318                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e33000-04e34000 rw-p 0000f000 103:00 119946318                         /home/jtruba/co/valgrind/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e34000-04e4c000 r-xp 00000000 103:03 786451                            /lib/x86_64-linux-gnu/libpthread-2.19.so
04e4c000-0504b000 ---p 00018000 103:03 786451                            /lib/x86_64-linux-gnu/libpthread-2.19.so
0504b000-0504c000 r--p 00017000 103:03 786451                            /lib/x86_64-linux-gnu/libpthread-2.19.so
0504c000-0504d000 rw-p 00018000 103:03 786451                            /lib/x86_64-linux-gnu/libpthread-2.19.so
0504d000-05051000 rw-p 00000000 00:00 0
05051000-05058000 r-xp 00000000 103:03 786474                            /lib/x86_64-linux-gnu/librt-2.19.so
05058000-05257000 ---p 00007000 103:03 786474                            /lib/x86_64-linux-gnu/librt-2.19.so
05257000-05258000 r--p 00006000 103:03 786474                            /lib/x86_64-linux-gnu/librt-2.19.so
05258000-05259000 rw-p 00007000 103:03 786474                            /lib/x86_64-linux-gnu/librt-2.19.so
05259000-0528d000 r-xp 00000000 103:03 279726                            /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
0528d000-0548d000 ---p 00034000 103:03 279726                            /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
0548d000-0548f000 r--p 00034000 103:03 279726                            /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
0548f000-05490000 rw-p 00036000 103:03 279726                            /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
05490000-05491000 rw-p 00000000 00:00 0
05491000-05512000 r-xp 00000000 103:03 266462                            /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
05512000-05712000 ---p 00081000 103:03 266462                            /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
05712000-05713000 r--p 00081000 103:03 266462                            /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
05713000-05714000 rw-p 00082000 103:03 266462                            /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
05714000-05717000 r-xp 00000000 103:03 786462                            /lib/x86_64-linux-gnu/libdl-2.19.so
05717000-05916000 ---p 00003000 103:03 786462                            /lib/x86_64-linux-gnu/libdl-2.19.so
05916000-05917000 r--p 00002000 103:03 786462                            /lib/x86_64-linux-gnu/libdl-2.19.so
05917000-05918000 rw-p 00003000 103:03 786462                            /lib/x86_64-linux-gnu/libdl-2.19.so
05918000-05920000 r-xp 00000000 103:03 786461                            /lib/x86_64-linux-gnu/libcrypt-2.19.so
05920000-05b1f000 ---p 00008000 103:03 786461                            /lib/x86_64-linux-gnu/libcrypt-2.19.so
05b1f000-05b20000 r--p 00007000 103:03 786461                            /lib/x86_64-linux-gnu/libcrypt-2.19.so
05b20000-05b21000 rw-p 00008000 103:03 786461                            /lib/x86_64-linux-gnu/libcrypt-2.19.so
05b21000-05b4f000 rw-p 00000000 00:00 0
05b4f000-05c4f000 r-xp 00000000 103:03 786463                            /lib/x86_64-linux-gnu/libm-2.19.so
05c4f000-05e4e000 ---p 00100000 103:03 786463                            /lib/x86_64-linux-gnu/libm-2.19.so
05e4e000-05e4f000 r--p 000ff000 103:03 786463                            /lib/x86_64-linux-gnu/libm-2.19.so
05e4f000-05e50000 rw-p 00100000 103:03 786463                            /lib/x86_64-linux-gnu/libm-2.19.so
05e50000-05ff1000 r-xp 00000000 103:03 786457                            /lib/x86_64-linux-gnu/libc-2.19.so
05ff1000-061f1000 ---p 001a1000 103:03 786457                            /lib/x86_64-linux-gnu/libc-2.19.so
061f1000-061f5000 r--p 001a1000 103:03 786457                            /lib/x86_64-linux-gnu/libc-2.19.so
061f5000-061f7000 rw-p 001a5000 103:03 786457                            /lib/x86_64-linux-gnu/libc-2.19.so
061f7000-061fb000 rw-p 00000000 00:00 0
061fb000-061fd000 r-xp 00000000 103:00 80759038                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
061fd000-063fc000 ---p 00002000 103:00 80759038                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
063fc000-063fd000 rw-p 00001000 103:00 80759038                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
06400000-06800000 rw-p 00000000 00:00 0
06800000-06c00000 rwxp 00000000 00:00 0
06c00000-06c02000 r-xp 00000000 103:00 80759003                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
06c02000-06e02000 ---p 00002000 103:00 80759003                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
06e02000-06e03000 rw-p 00002000 103:00 80759003                          /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
06e03000-07a03000 rwxp 00000000 00:00 0
07a03000-07a19000 r-xp 00000000 103:03 786893                            /lib/x86_64-linux-gnu/libgcc_s.so.1
07a19000-07c18000 ---p 00016000 103:03 786893                            /lib/x86_64-linux-gnu/libgcc_s.so.1
07c18000-07c19000 rw-p 00015000 103:03 786893                            /lib/x86_64-linux-gnu/libgcc_s.so.1
07c19000-08bc1000 r--s 00000000 103:00 78003143                          /home/jtruba/rubies/ruby-trunk/ruby
58000000-58285000 r-xp 00000000 103:00 119946317                         /home/jtruba/co/valgrind/lib/valgrind/memcheck-amd64-linux
58484000-58487000 rw-p 00284000 103:00 119946317                         /home/jtruba/co/valgrind/lib/valgrind/memcheck-amd64-linux
58487000-59e8b000 rw-p 00000000 00:00 0
1002001000-1002cb4000 rwxp 00000000 00:00 0
1002cb4000-1002cb5000 rw-s 00000000 103:03 5506287                       /tmp/vgdb-pipe-shared-mem-vgdb-47623-by-jtruba-on-???
1002cb5000-1002cbd000 rwxp 00000000 00:00 0
1002cbd000-1002f11000 rwxp 00000000 00:00 0
1002f11000-1002f21000 rwxp 00000000 00:00 0
1002f21000-1002f41000 rwxp 00000000 00:00 0
1002f41000-1002fb1000 rwxp 00000000 00:00 0
1002fb2000-10033ff000 rwxp 00000000 00:00 0
10033ff000-100345b000 rwxp 00000000 00:00 0
1003497000-10034ff000 rwxp 00000000 00:00 0
10034ff000-1003501000 ---p 00000000 00:00 0
1003501000-1003601000 rwxp 00000000 00:00 0
1003601000-1003603000 ---p 00000000 00:00 0
1003603000-100369b000 rwxp 00000000 00:00 0
100369b000-1003c95000 rwxp 00000000 00:00 0
1003c95000-1003cc5000 rwxp 00000000 00:00 0
1003cc6000-1005ce3000 rwxp 00000000 00:00 0
1005ce3000-1005eae000 rwxp 00000000 00:00 0
1005fe3000-10062e3000 rwxp 00000000 00:00 0
10063e3000-10064e3000 rwxp 00000000 00:00 0
10067d8000-10069cd000 rwxp 00000000 00:00 0
10069cd000-1006dcd000 rwxp 00000000 00:00 0
1ffe802000-1fff001000 rw-p 00000000 00:00 0
7ffd25a57000-7ffd25a79000 rw-p 00000000 00:00 0                          [stack]
7ffd25aaa000-7ffd25aac000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: https://www.ruby-lang.org/bugreport.html
==47623==
==47623== Process terminating with default action of signal 6 (SIGABRT)
==47623==    at 0x5E85067: raise (raise.c:56)
==47623==    by 0x5E86447: abort (abort.c:89)
==47623==    by 0x5F74AC: die (error.c:582)
==47623==    by 0x5F7846: rb_bug_context (error.c:612)
==47623==    by 0x37525E: sigsegv (signal.c:998)
==47623==    by 0x4E4388F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.19.so)
==47623==    by 0x771610C: ???
==47623==
==47623== HEAP SUMMARY:
==47623==     in use at exit: 8,118,241 bytes in 8,053 blocks
==47623==   total heap usage: 9,014 allocs, 961 frees, 8,480,344 bytes allocated
==47623==
==47623== LEAK SUMMARY:
==47623==    definitely lost: 528 bytes in 2 blocks
==47623==    indirectly lost: 4,956 bytes in 45 blocks
==47623==      possibly lost: 6,691,913 bytes in 6,653 blocks
==47623==    still reachable: 1,420,844 bytes in 1,353 blocks
==47623==         suppressed: 0 bytes in 0 blocks
==47623== Rerun with --leak-check=full to see details of leaked memory
==47623==
==47623== For counts of detected and suppressed errors, rerun with: -v
==47623== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Aborted

Related issues

Is duplicate of Ruby trunk - Bug #15245: Heap buffer overflow (write of size 8) in vm.incClosedActions

History

Updated by wanabe (_ wanabe) 5 months ago

I guess this is as same as #15245.

$ echo -n "2557 0024 7f54 0020 7c7c 6e54 5a20 7768 696c 6523 4054 456d 6520 7e6f 5b0a 0a0a 0a0a 0a0a 0a69 3d31"|xxd -r -p|ruby --dump=insns
-:9: warning: found `= literal' in conditional, should be ==
== disasm: #<ISeq:<main>@-:1 (1,0)-(9,3)> (catch: FALSE)
== catch table
| catch type: break  st: 0006 ed: 0015 sp: 0000 cont: 0015
| catch type: next   st: 0006 ed: 0015 sp: 0000 cont: 0003
| catch type: redo   st: 0006 ed: 0015 sp: 0000 cont: 0006
|------------------------------------------------------------------------
local table (size: 1, argc: 0 [opts: 0, rest: -1, post: 0, block: -1, kw: -1@-1, kwrest: -1])
[ 1] i@0
0000 jump                         8                                   (   1)[Li]
0002 putnil
0003 pop
0004 jump                         8
0006 putstring                    "$\u007FT"
0008 putobject_INT2FIX_1_                                             (   9)
0009 dup
0010 setlocal_WC_0                i@0
0012 branchif                     6
0014 putnil                                                           (   1)
0015 leave
#2

Updated by nobu (Nobuyoshi Nakada) 5 months ago

  • Is duplicate of Bug #15245: Heap buffer overflow (write of size 8) in vm.inc added
#3

Updated by nobu (Nobuyoshi Nakada) 5 months ago

  • Status changed from Open to Closed

Applied in changeset trunk|r65350.


compile.c: fix peephole optimization

  • compile.c (iseq_peephole_optimize): should pop before jump instruction which succeeds to newarray of a literal object, not after. [ruby-core:89536] [Bug #15245]

Also available in: Atom PDF