Bug #6099

[BUG] probable buffer overflow

Added by Usaku NAKAMURA about 3 years ago. Updated about 3 years ago.

[ruby-dev:45296]
Status:Closed
Priority:Normal
Assignee:Nobuyoshi Nakada
ruby -v:ruby 2.0.0dev (2012-02-27 trunk 34828) [i386-netbsdelf] Backport:

Description

ふと思い立って以下のようなコードを実行してみたところ、表題の[BUG]となりました。
あんまり重大ではないと考えますが、一応報告しておきます。
他のメソッドでも似たようなことができるものはあると思います。
なお、プラットフォーム依存はないはずです。

% ruby -e '
r, w = IO.pipe
buf = " " * 100
Thread.new{p r.sysread(100, buf)}
Thread.pass
buf.replace("")
p buf.bytesize; w.write("a" * 100)
Thread.pass
'

Associated revisions

Revision 34846
Added by Nobuyoshi Nakada about 3 years ago

  • io.c (io_fread, io_getpartial, rb_io_sysread): set buffer size after check if readable, which can cause thread switch. [Bug #6099]

Revision 34846
Added by Nobuyoshi Nakada about 3 years ago

  • io.c (io_fread, io_getpartial, rb_io_sysread): set buffer size after check if readable, which can cause thread switch. [Bug #6099]

History

#1 Updated by Masaki Matsushita about 3 years ago

=begin
IO#readpartialにも同様の問題があるようです。

require "fcntl"

r, w = IO.pipe
r.fcntl(Fcntl::F_SETFL, Fcntl::O_NONBLOCK)
buf = " " * 100
t = Thread.new{p r.readpartial(100, buf)}
sleep 0.1
Thread.pass
buf.replace("")
p buf.bytesize; w.write("a" * 100)
Thread.pass
t.join
=end

#2 Updated by Nobuyoshi Nakada about 3 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r34846.
Usaku, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • io.c (io_fread, io_getpartial, rb_io_sysread): set buffer size after check if readable, which can cause thread switch. [Bug #6099]

#3 Updated by Yui NARUSE about 3 years ago

  • Status changed from Closed to Assigned
  • Assignee set to Nobuyoshi Nakada
  • Priority changed from Low to Normal

Masaki Matsushita wrote:

IO#readpartialにも同様の問題があるようです。

require "fcntl"

r, w = IO.pipe
r.fcntl(Fcntl::F_SETFL, Fcntl::O_NONBLOCK)
buf = " " * 100
t = Thread.new{p r.readpartial(100, buf)}
sleep 0.1
Thread.pass
buf.replace("")
p buf.bytesize; w.write("a" * 100)
Thread.pass
t.join

IO#readpartial は
* It blocks only if ios has no data immediately available.

  • The later means that readpartial is nonblocking-flag insensitive.
  • It blocks on the situation IO#sysread causes Errno::EWOULDBLOCK as if the fd is blocking mode. などとある通り、r.fcntl(Fcntl::F_SETFL, Fcntl::O_NONBLOCK) しても block することがあります。 よって、[BUG] が出たら明らかにおかしいんですが、そのコードが通ることを期待するのも間違っています。

#4 Updated by Masaki Matsushita about 3 years ago

Yui NARUSE wrote:

IO#readpartial は
* It blocks only if ios has no data immediately available.
* The later means that readpartial is nonblocking-flag insensitive.
* It blocks on the situation IO#sysread causes Errno::EWOULDBLOCK as if the fd is blocking mode.
などとある通り、r.fcntl(Fcntl::F_SETFL, Fcntl::O_NONBLOCK) しても block することがあります。
よって、[BUG] が出たら明らかにおかしいんですが、そのコードが通ることを期待するのも間違っています。

IO#readpartialも場合によってはblockする事があるんですね。
勉強になりました。

#5 Updated by Yui NARUSE about 3 years ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF