Project

General

Profile

Actions
Copy link

Bug #21461

closed

Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete

Added by bendrissou (Bachir Bendrissou) 24 days ago. Updated 6 days ago.

Status:
Closed
Assignee:
prism
Target version:
-
ruby -v:
3.5.0
Backport:
3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
[ruby-core:122625]

Description

Description

An AddressSanitizer (ASan) heap-buffer-overflow occurs in Ruby when:

  1. The file contains an invalid magic encoding comment, and

  2. A line with incomplete assignment (e.g. missing right-hand side).

This leads to a crash in pm_parse_errors_format_sort, caused by prism_compile.c accessing a freed or uninitialized memory region.

Input

# -*- coding: abc -*-

$a =

Expected output

unknown or invalid encoding in the magic comment (ArgumentError)

ASAN output

=================================================================
==719525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002af88 at pc 0x559137d4f16a bp 0x7ffd85551fe0 sp 0x7ffd85551fd0
WRITE of size 8 at 0x60300002af88 thread T0
    #0 0x559137d4f169 in pm_parse_errors_format_sort ../prism_compile.c:10620
    #1 0x559137d4f169 in pm_parse_errors_format ../prism_compile.c:10687
    #2 0x559137e08753 in pm_parse_process_error ../prism_compile.c:10999
    #3 0x559137e08753 in pm_parse_process ../prism_compile.c:11105
    #4 0x559137e7811d in pm_parse_file ../prism_compile.c:11391
    #5 0x559137960743 in prism_script ../ruby.c:2236
    #6 0x559137960743 in process_options ../ruby.c:2563
    #7 0x55913796228f in ruby_process_options ../ruby.c:3199
    #8 0x5591376a2406 in ruby_options ../eval.c:117
    #9 0x5591376937fe in rb_main ../main.c:42
    #10 0x5591376937fe in main ../main.c:62
    #11 0x7f69beed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #12 0x559137694dcd in _start (/home/program/build/ruby+0x15cdcd)

0x60300002af88 is located 0 bytes to the right of 24-byte region [0x60300002af70,0x60300002af88)
allocated by thread T0 here:
    #0 0x7f69bf427a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x5591377119bd in calloc1 ../gc/default/default.c:1490
    #2 0x5591377119bd in rb_gc_impl_calloc ../gc/default/default.c:8162
    #3 0x5591377119bd in ruby_xcalloc_body ../gc.c:5327

SUMMARY: AddressSanitizer: heap-buffer-overflow ../prism_compile.c:10620 in pm_parse_errors_format_sort
Shadow bytes around the buggy address:
  0x0c067fffd5a0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fffd5b0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffd5c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffd5d0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fffd5e0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fffd5f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==719525==ABORTING
input.rb: [BUG] ASAN error
ruby 3.5.0dev (2025-06-11T18:07:43Z master 970813d982) +PRISM [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000720 DUMMY  [FINISH]


-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- C level backtrace information -------------------------------------------
/lib/x86_64-linux-gnu/libasan.so.5(__interceptor_backtrace+0x40) [0x7f69bf386d40] ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:4022
/home/program/build/ruby(rb_print_backtrace+0x11) [0x559137fceda9] ../vm_dump.c:843
/home/program/build/ruby(rb_vm_bugreport) ../vm_dump.c:1175
/home/program/build/ruby(rb_bug_without_die_internal+0xc3) [0x559137efa4b6] ../error.c:1097
/home/program/build/ruby(rb_bug_without_die) ../error.c:1106
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf44fe58) [0x7f69bf44fe58]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43152c) [0x7f69bf43152c]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf430fa3) [0x7f69bf430fa3]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43238e) [0x7f69bf43238e]
/home/program/build/ruby(pm_parse_errors_format_sort+0x12) [0x559137d4f16a] ../prism_compile.c:10620
/home/program/build/ruby(pm_parse_errors_format) ../prism_compile.c:10687
/home/program/build/ruby(pm_parse_process_error+0x84) [0x559137e08754] ../prism_compile.c:10999
/home/program/build/ruby(pm_parse_process) ../prism_compile.c:11105
/home/program/build/ruby(rbimpl_intern_const+0x0) [0x559137e7811e] ../prism_compile.c:11391
/home/program/build/ruby(pm_parse_file) ../prism_compile.c:11396
/home/program/build/ruby(prism_script+0xa4) [0x559137960744] ../ruby.c:2236
/home/program/build/ruby(process_options) ../ruby.c:2563
/home/program/build/ruby(ruby_process_options+0x3f0) [0x559137962290] ../ruby.c:3199
/home/program/build/ruby(ruby_options+0x2a7) [0x5591376a2407] ../eval.c:117
/home/program/build/ruby(rb_main+0x19) [0x5591376937ff] ../main.c:42
/home/program/build/ruby(main) ../main.c:62
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f69beed2083]
/home/program/build/ruby(_start) [0x559137694dce]

-- Other runtime information -----------------------------------------------

* Loaded script: input.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 fiber.so
    3 rational.so
    4 complex.so
    5 ruby2_keywords.rb
    6 set.rb

Environment

Ruby version: ruby 3.5.0dev (2025-06-11 commit 970813d982) +PRISM

Platform: x86_64-linux

Built from source

Parser backend: Prism (default)

Actions
Copy link
 #1 [ruby-core:122635]

Updated by byroot (Jean Boussier) 23 days ago

  • Assignee set to prism
Actions
Copy link
 #2

Updated by tenderlovemaking (Aaron Patterson) 6 days ago

  • Status changed from Open to Closed

Applied in changeset git|dabdd81d178ed91ca0feb0875ce0df927df0f3fb.

Fix linked list iteration when displaying errors

When a script has problem with the magic comment encoding, we only
display that error. However, if there are other syntax errors in the
file, the error linked list could contain multiple items. This lead to
an inconsistency in the "size" field of the linked list, and the actual
items in the linked list. In other words, the linked list had more than
one item, but the size field was one.

The error display routine would only allocate size items, but
iterating the linked list would overrun the array. This commit changes
the iterator to compare the current node to the "finish" node in the
linked list, no longer assuming the linked list ends with NULL.

[Bug #21461]

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0