Project

General

Profile

Bug #15934

String#b can lead to memory corruption

Added by alanwu (Alan Wu) about 1 year ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
[ruby-core:93207]

Description

The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.

a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a

The consequence is usually that a gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:

$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"

This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.

I have a fix for this: https://github.com/ruby/ruby/pull/2183

#1

Updated by alanwu (Alan Wu) about 1 year ago

  • Status changed from Open to Closed

Applied in changeset git|9dec4e8fc3a6018261834b5ac9b9877f787b97ca.


String#b: Don't depend on dependent string

Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.

The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to wanabe (_ wanabe) for using eval as a cross-version way
of registering a fstring.

a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
  • string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string.

[Bug #15934]

#2

Updated by nagachika (Tomoyuki Chikanaga) 11 months ago

  • Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) 11 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67733 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

Updated by usa (Usaku NAKAMURA) 11 months ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

ruby_2_5 r67767 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

Also available in: Atom PDF