Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access - Ruby - Ruby Issue Tracking System

Bug #21787

Updated by nobu (Nobuyoshi Nakada) about 9 hours ago

From: https://hackerone.com/reports/3437743 

 The `IO::Buffer` implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The `io_buffer_validate_range` function assumes that `offset+length` never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows. 
 Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code. 

 https://hackerone.com/reports/3437743#activity-38521790 
 > We decided to fix this as a regular bug since `IO::Buffer` is experimental. 

 https://github.com/ruby/ruby/pull/15599

Back

Project

General

Profile

Ruby

Bug #21787