Project

General

Profile

Actions

Bug #20453

closed

Pointer being freed was not allocated in Regexp timeout

Added by dodecadaniel (Daniel Colson) 7 months ago. Updated 4 months ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:117697]

Description

https://bugs.ruby-lang.org/issues/20228 frees stk_base to avoid a memory leak, but stk_base is sometimes stack allocated (see xalloca). So the free only works if the regex stack grows enough that it needs to double (see xmalloc and xrealloc in stack_double.

Reproduction:

Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'

I'll open a PR shortly.

https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.

Updated by dodecadaniel (Daniel Colson) 7 months ago

I opened https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so please correct me if I got something wrong!

Actions #2

Updated by peterzhu2118 (Peter Zhu) 7 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED
Actions #3

Updated by dodecadaniel (Daniel Colson) 7 months ago

  • Status changed from Open to Closed

Applied in changeset git|d292a9b98ce03c76dbe13138d20b9fbf613cc02d.


[Bug #20453] segfault in Regexp timeout

https://bugs.ruby-lang.org/issues/20228 started freeing stk_base to
avoid a memory leak. But stk_base is sometimes stack allocated (using
xalloca), so the free only works if the regex stack has grown enough
to hit stack_double (which uses xmalloc and xrealloc).

To reproduce the problem on master and 3.3.1:

Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'

Some details about this potential fix:

stk_base == stk_alloc on
init,
so if stk_base != stk_alloc we can be sure we called
stack_double
and it's safe to free. It's also safe to free if we've
saved
the stack to msa->stack_p, since we do the stk_base != stk_alloc
check before saving.

This matches the check we do inside
stack_double

Updated by k0kubun (Takashi Kokubun) 6 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE

Since I have marked https://bugs.ruby-lang.org/issues/20228 as Backport: "3.2 WONTFIX", I believe the issue is not present in the ruby_3_2 branch now. Therefore, I will mark this ticket as "3.2: WONTFIX" as well.

I have partially backported d292a9b98ce03c76dbe13138d20b9fbf613cc02d (only the test case) in c22398f96c29c2357bee50b291c358cc34837013.

Actions

Also available in: Atom PDF

Like1
Like0Like0Like0Like0Like0