Project

General

Profile

Actions

Bug #17732

closed

rb_enc_interned_str crashes if called with a not yet loaded encoding

Added by byroot (Jean Boussier) about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:102929]

Description

Reported by @yahonda (Yasuo Honda) in https://github.com/ruby/ruby/pull/4119#issuecomment-800189841

The bug

rb_enc_interned_str doesn't properly handle autoloaded encodings that are not yet loaded:

[BUG] Segmentation fault at 0x0000000000000000
-- C level backtrace information -------------------------------------------
ruby(rb_print_backtrace+0xf) [0x101b06c92] vm_dump.c:758
ruby(rb_vm_bugreport) vm_dump.c:1042
ruby(rb_vm_bugreport) (null):0
ruby(bug_report_end+0x0) [0x101929f02] error.c:801
ruby(rb_bug_for_fatal_signal) error.c:801
ruby(sigsegv+0x5b) [0x101a6289b] signal.c:960
/usr/lib/system/libsystem_platform.dylib(_sigtramp+0x1a) [0x7fff71b64f5a]
(null)((null)) (null):0
ruby(rb_enc_precise_mbclen+0x15) [0x101914dd5] encoding.c:1239
ruby(coderange_scan+0x63) [0x101a79773] string.c:602
ruby(rb_enc_str_coderange+0xd1) [0x101a79581] string.c:713
ruby(rb_str_hash+0x32) [0x101a78592] string.c:3290
ruby(do_hash+0x6) [0x101a6cd75] st.c:320
ruby(rb_st_update) st.c:1390
ruby(register_fstring+0x4c) [0x101a87cd5] string.c:398
ruby(rb_enc_interned_str) string.c:11502
ruby(ibf_load_object+0xa6) [0x1018fb176] compile.c:11816
ruby(ibf_load_object_regexp+0x129) [0x1018fba09] compile.c:11428
ruby(ibf_load_object+0xa6) [0x1018fb176] compile.c:11816
ruby(ibf_load_code+0x1000361bd) [0x1018dae7c] compile.c:10482
ruby(ibf_load_iseq_each) compile.c:11122
ruby(ISEQ_COMPILE_DATA_CLEAR+0x0) [0x1018dba8b] compile.c:11997
ruby(rb_ibf_load_iseq_complete) compile.c:11998
ruby(ibf_load_iseq) compile.c:12052
ruby(rb_iseq_ibf_load+0x4f) [0x1018db87f] compile.c:12158
ruby(iseqw_s_load_from_binary+0x12) [0x1019892d2] iseq.c:3430
ruby(vm_call_cfunc_with_frame+0x160) [0x101afc580] ./vm_insnhelper.c:2924
ruby(vm_sendish+0x572) [0x101af4e82]
ruby(vm_exec_core+0x3606) [0x101ada706] insns.def:789
ruby(rb_vm_exec+0xafb) [0x101aef13b] vm.c:2162
ruby(rb_ec_exec_node+0x132) [0x1019354b2] eval.c:317
ruby(ruby_run_node+0x57) [0x101935327] eval.c:375
ruby(main+0x71) [0x10189a061] ./main.c:47

Other rb_enc_* functions go through enc_check_encoding(), but because rb_enc_interned_str rely on rb_setup_fake_str, it bypass this check.

Occurence

While unlikely, this crash can be caused by C extensions starting in ruby 3.0.0-p0.

However https://github.com/ruby/ruby/pull/4119 made RubyVM::InstructionSequence.load_from_binary rely on rb_enc_interned_str and make this error very likely, mostly because net/http has a Windows-31J regexp (which is likely a bug too, see https://github.com/ruby/net-http/pull/18).

So I believe this fix should be backported to the 3.0 branch.

Patch

I created a Pull Request with a patch: https://github.com/ruby/ruby/pull/4290

Updated by byroot (Jean Boussier) about 3 years ago

@nobu (Nobuyoshi Nakada) thanks for merging https://github.com/ruby/ruby/pull/4290

Do you think it should be backported to 3.0?

Either way this ticket can now be closed.

Updated by nobu (Nobuyoshi Nakada) about 3 years ago

  • Description updated (diff)
  • Status changed from Open to Closed
  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN to 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: REQUIRED

I missed that the link was only in the pull-request description but not in the commit log.

I'm afraid that this can be happen in earlier than 3.0 too.

Updated by byroot (Jean Boussier) about 3 years ago

I'm afraid that this can be happen in earlier than 3.0 too.

Hum. rb_enc_interned_str was introduced in 3.0.

Unless you think other string functions are vulnerable to the same issue?

Updated by naruse (Yui NARUSE) almost 3 years ago

  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: REQUIRED to 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: DONE

ruby_3_0 4e2738f477b5343a0d48a400c975220fed123c9b merged revision(s) 7e8a9af9db42a21f6a1125a29e98c45ff9d5833b.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0