Project

General

Profile

Bug #13160

Socket c code breaks ruby interpreter

Added by fabianfrz (Fabian Franz) over 2 years ago. Updated 24 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]
[ruby-core:79271]

Description

When a client connects to a socket, the ruby interpreter crashes with the backtrace at the bottom (used the current version of my gem ICAPrb::Server (this gem has no native extensions))

the ruby vm should not when in receives a connection from a client.
This is the last data I get via strace:

{sa_family=AF_INET6, sin6_port=htons(39366), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, [2048->28], SOCK_CLOEXEC) = 8
fstat(8, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x38fd207d000
mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x38fd1ea7000
mprotect(0x38fd1ea7000, 4096, PROT_NONE) = 0
clone(child_stack=0x38fd1fa6ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x38fd1fa79d0, tls=0x38fd1fa7700, child_tidptr=0x38fd1fa79d0) = 4513
accept4(7,  <unfinished ...>)           = ?
+++ killed by SIGSEGV (core dumped) +++

Stacktrace:

systemd-coredump[4152]: Process 4143 (ruby) of user 1000 dumped core.

Stack trace of thread 4150:
#0  0x0000037105ae64b3 n/a (libruby.so.2.4)
#1  0x0000037105ae84cb n/a (libruby.so.2.4)
#2  0x0000037105ae8cad n/a (libruby.so.2.4)
#3  0x0000037105ae9ef2 n/a (libruby.so.2.4)
#4  0x0000037105ae3208 n/a (libruby.so.2.4)
#5  0x0000037105ae84cb n/a (libruby.so.2.4)
#6  0x0000037105ae8cad n/a (libruby.so.2.4)
#7  0x0000037105ae9ef2 n/a (libruby.so.2.4)
#8  0x0000037105ae3208 n/a (libruby.so.2.4)
#9  0x0000037105ae84cb n/a (libruby.so.2.4)
#10 0x0000037105ae8cad n/a (libruby.so.2.4)
#11 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#12 0x0000037105ae3208 n/a (libruby.so.2.4)
#13 0x0000037105ae84cb n/a (libruby.so.2.4)
#14 0x0000037105ae8cad n/a (libruby.so.2.4)
#15 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#16 0x0000037105ae3208 n/a (libruby.so.2.4)
#17 0x0000037105ae84cb n/a (libruby.so.2.4)
#18 0x0000037105ae8cad n/a (libruby.so.2.4)
#19 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#20 0x0000037105ae3208 n/a (libruby.so.2.4)
#21 0x0000037105ae84cb n/a (libruby.so.2.4)
#22 0x0000037105ae8cad n/a (libruby.so.2.4)
#23 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#24 0x0000037105ae3208 n/a (libruby.so.2.4)
#25 0x0000037105ae84cb n/a (libruby.so.2.4)
#26 0x0000037105ae8cad n/a (libruby.so.2.4)
#27 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#28 0x0000037105ae3208 n/a (libruby.so.2.4)
#29 0x0000037105ae84cb n/a (libruby.so.2.4)
#30 0x0000037105ae8cad n/a (libruby.so.2.4)
#31 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#32 0x0000037105ae3208 n/a (libruby.so.2.4)
#33 0x0000037105ae84cb n/a (libruby.so.2.4)
#34 0x0000037105ae8cad n/a (libruby.so.2.4)
#35 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#36 0x0000037105ae3208 n/a (libruby.so.2.4)
#37 0x0000037105ae84cb n/a (libruby.so.2.4)
#38 0x0000037105ae8cad n/a (libruby.so.2.4)
#39 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#40 0x0000037105ae3208 n/a (libruby.so.2.4)
#41 0x0000037105ae84cb n/a (libruby.so.2.4)
#42 0x0000037105ae8cad n/a (libruby.so.2.4)
#43 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#44 0x0000037105ae3208 n/a (libruby.so.2.4)
#45 0x0000037105ae84cb n/a (libruby.so.2.4)
#46 0x0000037105ae8cad n/a (libruby.so.2.4)
#47 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#48 0x0000037105ae3208 n/a (libruby.so.2.4)
#49 0x0000037105ae84cb n/a (libruby.so.2.4)
#50 0x0000037105ae8cad n/a (libruby.so.2.4)
#51 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#52 0x0000037105ae3208 n/a (libruby.so.2.4)
#53 0x0000037105ae84cb n/a (libruby.so.2.4)
#54 0x0000037105ae8cad n/a (libruby.so.2.4)
#55 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#56 0x0000037105ae3208 n/a (libruby.so.2.4)
#57 0x0000037105ae84cb n/a (libruby.so.2.4)
#58 0x0000037105ae8cad n/a (libruby.so.2.4)
#59 0x0000037105ae9ef2 n/a (libruby.so.2.4)
#60 0x0000037105ae3208 n/a (libruby.so.2.4)
#61 0x0000037105ae84cb n/a (libruby.so.2.4)
#62 0x0000037105ae8cad n/a (libruby.so.2.4)
#63 0x0000037105ae9ef2 n/a (libruby.so.2.4)

Stack trace of thread 4144:
#0  0x000003710568548d poll (libc.so.6)
#1  0x0000037105abc6f2 n/a (libruby.so.2.4)
#2  0x0000037105390454 start_thread (libpthread.so.0)
#3  0x000003710568e7df __clone (libc.so.6)

Stack trace of thread 4143:
#0  0x000003710568fcd8 accept4 (libc.so.6)
#1  0x0000037102669da0 n/a (socket.so)
#2  0x0000037102669ea5 n/a (socket.so)
#3  0x0000037105abb02c rb_thread_io_blocking_region (libruby.so.2.4)
#4  0x000003710266aa15 rsock_s_accept (socket.so)
#5  0x0000037102679a00 n/a (socket.so)
#6  0x0000037105adabea n/a (libruby.so.2.4)
#7  0x0000037105ae3208 n/a (libruby.so.2.4)
#8  0x0000037105ae84cb n/a (libruby.so.2.4)
#9  0x0000037105ae9ce8 n/a (libruby.so.2.4)
#10 0x00000371059d4f97 rb_rescue2 (libruby.so.2.4)
#11 0x0000037105adabea n/a (libruby.so.2.4)
#12 0x0000037105aece43 n/a (libruby.so.2.4)
#13 0x0000037105ae2ef7 n/a (libruby.so.2.4)
#14 0x0000037105ae84cb n/a (libruby.so.2.4)
#15 0x00000371059d2b10 n/a (libruby.so.2.4)
#16 0x00000371059d474d ruby_exec_node (libruby.so.2.4)
#17 0x00000371059d663e ruby_run_node (libruby.so.2.4)
#18 0x00000000004007cb n/a (ruby)
#19 0x00000371055c6291 __libc_start_main (libc.so.6)
#20 0x00000000004007fa _start (ruby)

History

Updated by shyouhei (Shyouhei Urabe) over 2 years ago

  • Status changed from Open to Feedback

Can you show us the reproducing code that generates SEGV? Additionally if possible, can you give us a gdb-printed backtrace? The strace output says your process dumped core; feeding it to gdb might tell you a detailed inspection.

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

  • Description updated (diff)

Maybe related to [Bug #13076]?

Updated by fabianfrz (Fabian Franz) over 2 years ago

Hi, I tried to run it in gdb but that is going to crash it even earlier, however there are other findings:

When i remove and disable all the metasploit related stuff it is working again (running without issues).
So maybe one of its dependent libraries must mess around with the socket class or file descriptors.

So the ticket may be closed.

#4

Updated by jeremyevans0 (Jeremy Evans) 24 days ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF