Actions
Bug #13742
closedSIGSEGV in parser_yyerror()
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.0dev (2017-07-13 trunk 59320) [x86_64-linux]
Description
After some fuzz testing I found a crashing test case.
To reproduce: miniruby ruby_sigsegv_parser_yyerror
Valgrind Context:
==20061== Memcheck, a memory error detector
==20061== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20061== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20061== Command: ruby/miniruby id5_min
==20061==
==20061== Warning: client switching stacks? SP change: 0x1ffefffd60 --> 0x1ffe8020e0
==20061== to suppress, use: --max-stackframe=8379520 or greater
==20061== Invalid write of size 1
==20061== at 0x2E2BF5: reserve_stack (thread_pthread.c:722)
==20061== by 0x2EA057: ruby_init_stack (thread_pthread.c:757)
==20061== by 0x12CAD4: main (main.c:40)
==20061== Address 0x1ffe8020e0 is on thread 1's stack
==20061== in frame #0, created by reserve_stack (thread_pthread.c:677)
==20061==
==20061== Warning: client switching stacks? SP change: 0x1ffe8020e0 --> 0x1ffefffe80
==20061== to suppress, use: --max-stackframe=8379808 or greater
ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead
ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead
ruby_sigsegv_parser_yyerror: invalid Unicode escape
000000000000000000000000
^~~~~~~~~~~~~~~~~~~~~~~~
==20061== Invalid read of size 1
==20061== at 0x22DC98: parser_yyerror (parse.y:5076)
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== Address 0x5f27fd8 is 0 bytes after a block of size 16,344 alloc'd
==20061== at 0x4C2E256: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20061== by 0x4C2E371: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20061== by 0x1CC803: aligned_malloc (gc.c:7714)
==20061== by 0x1CC803: heap_page_allocate (gc.c:1527)
==20061== by 0x1CC803: heap_page_create (gc.c:1631)
==20061== by 0x1CC803: heap_assign_page (gc.c:1653)
==20061== by 0x1CC803: heap_add_pages (gc.c:1666)
==20061== by 0x1CC803: Init_heap (gc.c:2387)
==20061== by 0x1B1ED4: ruby_setup (eval.c:55)
==20061== by 0x1B1FA8: ruby_init (eval.c:76)
==20061== by 0x12CAD9: main (main.c:41)
==20061==
==20061== Invalid write of size 1
==20061== at 0x22DCA3: parser_yyerror (parse.y:5076)
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== by 0x202020202020201F: ???
==20061== Address 0x1fff001000 is not stack'd, malloc'd or (recently) free'd
==20061==
id5_min: [BUG] Segmentation fault at 0x0000001fff001000
ruby 2.5.0dev (2017-07-13 trunk 59320) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:0021c0 (none) [FINISH]
-- Machine register context ------------------------------------------------
RIP: 0x000000000022dca3 RBP: 0x0000001ffeffdd70 RSP: 0x0000001ffeffdce0
RAX: 0x0000001fff001001 RBX: 0x0000000005f26445 RCX: 0x0000000005f5bcf0
RDX: 0x00000000060cae10 RDI: 0x0000000005f26445 RSI: 0x0000000005f26445
R8: 0x000000000034bccc R9: 0x0000000000355435 R10: 0x0000000005f26445
R11: 0x0000001ffeffdd80 R12: 0x0000000005f29766 R13: 0x0000000000000004
R14: 0x00000000060c38a0 R15: 0x0000001ffeffdce0 EFL: 0x0000000000000085
-- C level backtrace information -------------------------------------------
==20061== Invalid read of size 1
==20061== at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58)
==20061== by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257)
==20061== by 0x62199B7: _Unwind_Backtrace (unwind.inc:290)
==20061== by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so)
==20061== by 0x33C8E2: rb_print_backtrace (vm_dump.c:671)
==20061== by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941)
==20061== by 0x1A8CC0: rb_bug_context (error.c:534)
==20061== by 0x2AA7E1: sigsegv (signal.c:930)
==20061== by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so)
==20061== by 0x22DCA2: parser_yyerror (parse.y:5075)
==20061== Address 0x2020202020202020 is not stack'd, malloc'd or (recently) free'd
==20061==
==20061==
==20061== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==20061== General Protection Fault
==20061== at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58)
==20061== by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257)
==20061== by 0x62199B7: _Unwind_Backtrace (unwind.inc:290)
==20061== by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so)
==20061== by 0x33C8E2: rb_print_backtrace (vm_dump.c:671)
==20061== by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941)
==20061== by 0x1A8CC0: rb_bug_context (error.c:534)
==20061== by 0x2AA7E1: sigsegv (signal.c:930)
==20061== by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so)
==20061== by 0x22DCA2: parser_yyerror (parse.y:5075)
==20061==
==20061== HEAP SUMMARY:
==20061== in use at exit: 2,135,207 bytes in 6,100 blocks
==20061== total heap usage: 6,531 allocs, 431 frees, 2,330,433 bytes allocated
==20061==
==20061== LEAK SUMMARY:
==20061== definitely lost: 8,199 bytes in 2 blocks
==20061== indirectly lost: 0 bytes in 0 blocks
==20061== possibly lost: 788,920 bytes in 5,888 blocks
==20061== still reachable: 1,338,088 bytes in 210 blocks
==20061== suppressed: 0 bytes in 0 blocks
==20061== Rerun with --leak-check=full to see details of leaked memory
==20061==
==20061== For counts of detected and suppressed errors, rerun with: -v
==20061== ERROR SUMMARY: 6033 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
Files
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Description updated (diff)
- Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Status changed from Open to Closed
Applied in changeset trunk|r59344.
parse.y: utf-8 codepoints
- parse.y (parser_tokadd_utf8): skip spaces in the current line,
without advancing the line, to get rid of dangling pointer.
[ruby-core:82029] [Bug #13742]
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
Note that this is not a vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11465 is invalid.
Actions
Like0
Like0Like0Like0