Actions
Bug #21380
closed
Use-After-Free in String#split with In-Block String Modification
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
3.5.0
Description
A use-after-free bug can be triggered in Ruby's String#split when the target string is modified within the block passed to split.
Ruby version:
./ruby -v
ruby 3.5.0dev (2025-05-28T04:34:40Z master d064fd067b) +PRISM [x86_64-linux]
Program input:
str = "one two"
def mutate(s)
s.prepend("junk" * 1000)
end
counter = 0
loop do
str.split { mutate(str) }
counter += 1
break if counter > 10
end
ASAN output:
=================================================================
==30097==ERROR: AddressSanitizer: heap-use-after-free on address 0x526000002fe4 at pc 0x562c9f1bad20 bp 0x7ffc937b5440 sp 0x7ffc937b5430
READ of size 1 at 0x526000002fe4 thread T0
#0 0x562c9f1bad1f in rb_str_split_m ../string.c:9765
#1 0x562c9f2eb9c5 in vm_call_cfunc_with_frame_ ../vm_insnhelper.c:3774
#2 0x562c9f3056f6 in vm_sendish ../vm_insnhelper.c:5971
#3 0x562c9f3543b7 in vm_exec_core ../insns.def:851
#4 0x562c9f32315e in rb_vm_exec ../vm.c:2625
#5 0x562c9f367157 in rb_iseq_eval_main ../vm.c:2905
#6 0x562c9ee6078a in rb_ec_exec_node ../eval.c:281
#7 0x562c9ee67e4d in ruby_run_node ../eval.c:319
#8 0x562c9ee575c1 in rb_main ../main.c:42
#9 0x562c9ee575c1 in main ../main.c:62
#10 0x7f7ecc8811c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667)
#11 0x7f7ecc88128a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667)
Updated by nobu (Nobuyoshi Nakada) 1 day ago
- Status changed from Open to Closed
Applied in changeset git|fa85d23ff4a02985ebfe0716b0ff768f5b4fe13d.
[Bug #21380] Prohibit modification in String#split block
Reported at https://hackerone.com/reports/3163876
Updated by nobu (Nobuyoshi Nakada) about 22 hours ago
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED
Actions
Like0
Like0Like0