Project

General

Profile

Actions
Copy link

Bug #13234

closed

Infinite recursion (stack overflow) in parse_char_class()

Added by fumfel (Kamil Frankowicz) over 7 years ago. Updated over 7 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE
[ruby-core:79624]

Description

After some fuzz testing I found a crashing test case.

Git HEAD: fbd5cda6aad6db01bbca3d893a9970314a1bd52c

To reproduce: miniruby ruby_so_parse_char_class

Error log: bug-13234.log

Files

Download all files
ruby_so_parse_char_class (4 KB) ruby_so_parse_char_class POC to trigger stack overflow (miniruby) fumfel (Kamil Frankowicz), 02/20/2017 07:38 AM
bug-13234.log (82.3 KB) bug-13234.log nobu (Nobuyoshi Nakada), 02/20/2017 10:41 AM
Actions
Copy link
 #1 [ruby-core:79626]

Updated by shyouhei (Shyouhei Urabe) over 7 years ago

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

Actions
Copy link
 #2

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • Status changed from Open to Closed

Applied in changeset r57660.

regparse.c: initialize return values

  • regparse.c (parse_char_class): initialize return values before
    depth limit check. returned values will be freed in callers
    regardless the error. [ruby-core:79624] [Bug #13234]
Actions
Copy link
 #3 [ruby-core:79627]

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • File bug-13234.log bug-13234.log added
  • Description updated (diff)
  • Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
Actions
Copy link
 #4 [ruby-core:79630]

Updated by fumfel (Kamil Frankowicz) over 7 years ago

Shyouhei Urabe wrote:

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

I fuzz ruby (in this case miniruby binary) with American Fuzzy Lop fuzzer (http://lcamtuf.coredump.cx/afl/). My testing corpus contains files from various open source projects written in ruby. It's all :-)

Actions
Copy link
 #5 [ruby-core:79678]

Updated by fumfel (Kamil Frankowicz) over 7 years ago

This is CVE-2017-6181.

Actions
Copy link
 #6 [ruby-core:79682]

Updated by shyouhei (Shyouhei Urabe) over 7 years ago

Thank you again for the useful information. Will consider using the fuzzer and hopefully integrate into our test suite if possible/allowed.

Actions
Copy link
 #7 [ruby-core:80056]

Updated by naruse (Yui NARUSE) over 7 years ago

  • Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE

ruby_2_4 r57909 merged revision(s) 57660.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0