Project

General

Profile

Actions

Bug #20292

closed

Abort ruby by `String#initialize`

Added by ksss (Yuki Kurihara) 9 months ago. Updated 4 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]
[ruby-core:116908]

Description

I found a code that causes an anomaly.

$ uname -a
Darwin 20208671n 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct  4 21:26:55 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T6020 arm64

$ ruby -v
ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]

$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: -1) }'
ruby(13817,0x1f22b2080) malloc: Heap corruption detected, free list is damaged at 0x600000e27bc0
*** Incorrect guard value: 29830901955328
ruby(13817,0x1f22b2080) malloc: *** set a breakpoint in malloc_error_break to debug
[1]    13817 abort      ruby -e

$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: 0) }'
# never return ....

My research indicates the following conditions.

  • String must be at least 64 characters long
  • Call #initialize with capacity: 0 or less
  • Repeat this several times.

Updated by nobu (Nobuyoshi Nakada) 9 months ago

ksss (Yuki Kurihara) wrote:

  • String must be at least 64 characters long

Embedded string.

  • Call #initialize with capacity: 0 or less

Small but positive capacity also crashes.

Overwriting heap when initializing with smaller capacity.

Actions #2

Updated by nobu (Nobuyoshi Nakada) 9 months ago

  • Status changed from Open to Closed

Applied in changeset git|e04146129ec6898dd6a9739dad2983c6e9b68056.


[Bug #20292] Truncate embedded string to new capacity

Actions #3

Updated by nobu (Nobuyoshi Nakada) 9 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED

Updated by k0kubun (Takashi Kokubun) 5 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE

Reverted backport commits to ruby_3_2. They introduce failures on build condition with USE_RVARGC=0.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0