Project

General

Profile

Actions
Copy link

Bug #15934

closed

String#b can lead to memory corruption

Added by alanwu (Alan Wu) over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
Backport:
2.4: REQUIRED, 2.5: DONE, 2.6: DONE
[ruby-core:93207]

Description

The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3.

a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a

The consequence is usually that a gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:

$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"

This is caused by the same underlying issue as #15792. Credits to wanabe-san for using eval as a cross-version way of registering a fstring.

I have a fix for this: https://github.com/ruby/ruby/pull/2183

Actions
Copy link
 #1

Updated by alanwu (Alan Wu) over 3 years ago

  • Status changed from Open to Closed

Applied in changeset git|9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

String#b: Don't depend on dependent string

Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.

The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe (_ wanabe) for using eval as a cross-version way
of registering a fstring.

a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
  • string.c (str_replace_shared_without_enc): when given a
    dependent string, depend on the root of the dependent
    string.

[Bug #15934]

Actions
Copy link
 #2

Updated by nagachika (Tomoyuki Chikanaga) about 3 years ago

  • Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
Actions
Copy link
 #3 [ruby-core:94175]

Updated by nagachika (Tomoyuki Chikanaga) about 3 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67733 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

Actions
Copy link
 #4 [ruby-core:94576]

Updated by usa (Usaku NAKAMURA) about 3 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

ruby_2_5 r67767 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

Actions
Copy link

Also available in: Atom PDF