Bug #15934
String#b can lead to memory corruption
Description
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
The consequence is usually that a
gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
$> ruby -v bad.rb ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18] "jjjjjjjjjjjjjjjjjjjjjjjj" "D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.
I have a fix for this: https://github.com/ruby/ruby/pull/2183
Associated revisions
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string Registering a string that depend on a dependent string as fstring can lead to use-after-free. See c06ddfe and 3f95620 for details. The following script triggers use-after-free on trunk, 2.4.6, 2.5.5 and 2.6.3. Credits to @wanabe for using eval as a cross-version way of registering a fstring. ```ruby a = ('j' * 24).b.b eval('', binding, a) p a 4.times { GC.start } p a ``` - string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string. [Bug #15934]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67733 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string Registering a string that depend on a dependent string as fstring can lead to use-after-free. See c06ddfe and 3f95620 for details. The following script triggers use-after-free on trunk, 2.4.6, 2.5.5 and 2.6.3. Credits to @wanabe for using eval as a cross-version way of registering a fstring. ```ruby a = ('j' * 24).b.b eval('', binding, a) p a 4.times { GC.start } p a ``` - string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string. [Bug #15934]
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring can lead to use-after-free. See c06ddfe and 3f95620 for details. The following script triggers use-after-free on trunk, 2.4.6, 2.5.5 and 2.6.3. Credits to @wanabe for using eval as a cross-version way of registering a fstring. ```ruby a = ('j' * 24).b.b eval('', binding, a) p a 4.times { GC.start } p a ``` - string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string. [Bug #15934]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring can lead to use-after-free. See c06ddfe and 3f95620 for details. The following script triggers use-after-free on trunk, 2.4.6, 2.5.5 and 2.6.3. Credits to @wanabe for using eval as a cross-version way of registering a fstring. ```ruby a = ('j' * 24).b.b eval('', binding, a) p a 4.times { GC.start } p a ``` - string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string. [Bug #15934]
History
Updated by alanwu (Alan Wu) 6 months ago
- Status changed from Open to Closed
Applied in changeset git|9dec4e8fc3a6018261834b5ac9b9877f787b97ca.
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to wanabe (_ wanabe) for using eval as a cross-version way
of registering a fstring.
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
- string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string.
[Bug #15934]
Updated by nagachika (Tomoyuki Chikanaga) 4 months ago
- Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) 4 months ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
ruby_2_6 r67733 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.
Updated by usa (Usaku NAKAMURA) 4 months ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
ruby_2_5 r67767 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to wanabe (_ wanabe) for using eval as a cross-version way
of registering a fstring.
[Bug #15934]