Bug #13234
closedInfinite recursion (stack overflow) in parse_char_class()
Description
After some fuzz testing I found a crashing test case.
Git HEAD: fbd5cda6aad6db01bbca3d893a9970314a1bd52c
To reproduce: miniruby ruby_so_parse_char_class
Error log: bug-13234.log
Files
Updated by shyouhei (Shyouhei Urabe) over 7 years ago
Kamil Frankowicz wrote:
After some fuzz testing I found a crashing test case.
Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.
Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Status changed from Open to Closed
Applied in changeset r57660.
regparse.c: initialize return values
- regparse.c (parse_char_class): initialize return values before
depth limit check. returned values will be freed in callers
regardless the error. [ruby-core:79624] [Bug #13234]
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- File bug-13234.log bug-13234.log added
- Description updated (diff)
- Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
Updated by fumfel (Kamil Frankowicz) over 7 years ago
Shyouhei Urabe wrote:
Kamil Frankowicz wrote:
After some fuzz testing I found a crashing test case.
Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.
Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.
I fuzz ruby (in this case miniruby binary) with American Fuzzy Lop fuzzer (http://lcamtuf.coredump.cx/afl/). My testing corpus contains files from various open source projects written in ruby. It's all :-)
Updated by fumfel (Kamil Frankowicz) over 7 years ago
This is CVE-2017-6181.
Updated by shyouhei (Shyouhei Urabe) over 7 years ago
Thank you again for the useful information. Will consider using the fuzzer and hopefully integrate into our test suite if possible/allowed.
Updated by naruse (Yui NARUSE) over 7 years ago
- Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE
ruby_2_4 r57909 merged revision(s) 57660.