Bug #20292: Abort ruby by `String#initialize` - Ruby master - Ruby Issue Tracking System

Actions

Bug #20292

closed

Abort ruby by `String#initialize`

Added by ksss (Yuki Kurihara) 9 months ago. Updated 4 months ago.

Status:

Closed

Assignee:

-

Target version:

-

ruby -v:

ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]

Backport:

3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE

[ruby-core:116908]

Description

I found a code that causes an anomaly.

$ uname -a
Darwin 20208671n 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct  4 21:26:55 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T6020 arm64

$ ruby -v
ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]

$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: -1) }'
ruby(13817,0x1f22b2080) malloc: Heap corruption detected, free list is damaged at 0x600000e27bc0
*** Incorrect guard value: 29830901955328
ruby(13817,0x1f22b2080) malloc: *** set a breakpoint in malloc_error_break to debug
[1]    13817 abort      ruby -e

$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: 0) }'
# never return ....

My research indicates the following conditions.

String must be at least 64 characters long
Call #initialize with capacity: 0 or less
Repeat this several times.

Actions

#1 [ruby-core:116910]

Updated by nobu (Nobuyoshi Nakada) 9 months ago

ksss (Yuki Kurihara) wrote:

String must be at least 64 characters long

Embedded string.

Call #initialize with capacity: 0 or less

Small but positive capacity also crashes.

Overwriting heap when initializing with smaller capacity.

Actions

#2

Updated by nobu (Nobuyoshi Nakada) 9 months ago

Status changed from Open to Closed

Applied in changeset git|e04146129ec6898dd6a9739dad2983c6e9b68056.

[Bug #20292] Truncate embedded string to new capacity

Actions

#3

Updated by nobu (Nobuyoshi Nakada) 9 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED

Actions

#4 [ruby-core:118065]

Updated by k0kubun (Takashi Kokubun) 6 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE

ruby_3_3 f12c947192aa47b355015384e5c82cbf674023f1 merged revision(s) e04146129ec6898dd6a9739dad2983c6e9b68056.

Actions

#5 [ruby-core:118593]

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE

ruby_3_2 a54c717c7a74b91a3cdf20742c355e3ea42052d1 merged revision(s) e04146129ec6898dd6a9739dad2983c6e9b68056, d5080f6e8b77364483ff6727b1065e45e180f05d.

Actions

#6 [ruby-core:118595]

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE

Reverted backport commits to ruby_3_2. They introduce failures on build condition with USE_RVARGC=0.

Actions

Also available in: Atom PDF

Like0

Like0Like0Like0Like0Like0Like0