Actions
Bug #21461
open
Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete
Description
Description¶
An AddressSanitizer (ASan) heap-buffer-overflow occurs in Ruby when:
-
The file contains an invalid magic encoding comment, and
-
A line with incomplete assignment (e.g. missing right-hand side).
This leads to a crash in pm_parse_errors_format_sort, caused by prism_compile.c accessing a freed or uninitialized memory region.
Input¶
# -*- coding: abc -*-
$a =
Expected output¶
unknown or invalid encoding in the magic comment (ArgumentError)
ASAN output¶
=================================================================
==719525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002af88 at pc 0x559137d4f16a bp 0x7ffd85551fe0 sp 0x7ffd85551fd0
WRITE of size 8 at 0x60300002af88 thread T0
#0 0x559137d4f169 in pm_parse_errors_format_sort ../prism_compile.c:10620
#1 0x559137d4f169 in pm_parse_errors_format ../prism_compile.c:10687
#2 0x559137e08753 in pm_parse_process_error ../prism_compile.c:10999
#3 0x559137e08753 in pm_parse_process ../prism_compile.c:11105
#4 0x559137e7811d in pm_parse_file ../prism_compile.c:11391
#5 0x559137960743 in prism_script ../ruby.c:2236
#6 0x559137960743 in process_options ../ruby.c:2563
#7 0x55913796228f in ruby_process_options ../ruby.c:3199
#8 0x5591376a2406 in ruby_options ../eval.c:117
#9 0x5591376937fe in rb_main ../main.c:42
#10 0x5591376937fe in main ../main.c:62
#11 0x7f69beed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#12 0x559137694dcd in _start (/home/program/build/ruby+0x15cdcd)
0x60300002af88 is located 0 bytes to the right of 24-byte region [0x60300002af70,0x60300002af88)
allocated by thread T0 here:
#0 0x7f69bf427a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x5591377119bd in calloc1 ../gc/default/default.c:1490
#2 0x5591377119bd in rb_gc_impl_calloc ../gc/default/default.c:8162
#3 0x5591377119bd in ruby_xcalloc_body ../gc.c:5327
SUMMARY: AddressSanitizer: heap-buffer-overflow ../prism_compile.c:10620 in pm_parse_errors_format_sort
Shadow bytes around the buggy address:
0x0c067fffd5a0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fffd5b0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fffd5c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
0x0c067fffd5d0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
0x0c067fffd5e0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fffd5f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==719525==ABORTING
input.rb: [BUG] ASAN error
ruby 3.5.0dev (2025-06-11T18:07:43Z master 970813d982) +PRISM [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000720 DUMMY [FINISH]
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- C level backtrace information -------------------------------------------
/lib/x86_64-linux-gnu/libasan.so.5(__interceptor_backtrace+0x40) [0x7f69bf386d40] ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:4022
/home/program/build/ruby(rb_print_backtrace+0x11) [0x559137fceda9] ../vm_dump.c:843
/home/program/build/ruby(rb_vm_bugreport) ../vm_dump.c:1175
/home/program/build/ruby(rb_bug_without_die_internal+0xc3) [0x559137efa4b6] ../error.c:1097
/home/program/build/ruby(rb_bug_without_die) ../error.c:1106
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf44fe58) [0x7f69bf44fe58]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43152c) [0x7f69bf43152c]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf430fa3) [0x7f69bf430fa3]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43238e) [0x7f69bf43238e]
/home/program/build/ruby(pm_parse_errors_format_sort+0x12) [0x559137d4f16a] ../prism_compile.c:10620
/home/program/build/ruby(pm_parse_errors_format) ../prism_compile.c:10687
/home/program/build/ruby(pm_parse_process_error+0x84) [0x559137e08754] ../prism_compile.c:10999
/home/program/build/ruby(pm_parse_process) ../prism_compile.c:11105
/home/program/build/ruby(rbimpl_intern_const+0x0) [0x559137e7811e] ../prism_compile.c:11391
/home/program/build/ruby(pm_parse_file) ../prism_compile.c:11396
/home/program/build/ruby(prism_script+0xa4) [0x559137960744] ../ruby.c:2236
/home/program/build/ruby(process_options) ../ruby.c:2563
/home/program/build/ruby(ruby_process_options+0x3f0) [0x559137962290] ../ruby.c:3199
/home/program/build/ruby(ruby_options+0x2a7) [0x5591376a2407] ../eval.c:117
/home/program/build/ruby(rb_main+0x19) [0x5591376937ff] ../main.c:42
/home/program/build/ruby(main) ../main.c:62
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f69beed2083]
/home/program/build/ruby(_start) [0x559137694dce]
-- Other runtime information -----------------------------------------------
* Loaded script: input.rb
* Loaded features:
0 enumerator.so
1 thread.rb
2 fiber.so
3 rational.so
4 complex.so
5 ruby2_keywords.rb
6 set.rb
Environment¶
Ruby version: ruby 3.5.0dev (2025-06-11 commit 970813d982) +PRISM
Platform: x86_64-linux
Built from source
Parser backend: Prism (default)
No data to display
Actions
Like0