Actions
Bug #20292
closedAbort ruby by `String#initialize`
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]
Description
I found a code that causes an anomaly.
$ uname -a
Darwin 20208671n 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct 4 21:26:55 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T6020 arm64
$ ruby -v
ruby 3.4.0dev (2024-02-22T06:43:46Z master e1c684e471) [arm64-darwin22]
$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: -1) }'
ruby(13817,0x1f22b2080) malloc: Heap corruption detected, free list is damaged at 0x600000e27bc0
*** Incorrect guard value: 29830901955328
ruby(13817,0x1f22b2080) malloc: *** set a breakpoint in malloc_error_break to debug
[1] 13817 abort ruby -e
$ ruby -e '100.times { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".__send__(:initialize, capacity: 0) }'
# never return ....
My research indicates the following conditions.
- String must be at least 64 characters long
- Call
#initialize
with capacity: 0 or less - Repeat this several times.
Updated by nobu (Nobuyoshi Nakada) 9 months ago
ksss (Yuki Kurihara) wrote:
- String must be at least 64 characters long
Embedded string.
- Call
#initialize
with capacity: 0 or less
Small but positive capacity also crashes.
Overwriting heap when initializing with smaller capacity.
Updated by nobu (Nobuyoshi Nakada) 9 months ago
- Status changed from Open to Closed
Applied in changeset git|e04146129ec6898dd6a9739dad2983c6e9b68056.
[Bug #20292] Truncate embedded string to new capacity
Updated by nobu (Nobuyoshi Nakada) 9 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED
Updated by k0kubun (Takashi Kokubun) 5 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE
ruby_3_3 f12c947192aa47b355015384e5c82cbf674023f1 merged revision(s) e04146129ec6898dd6a9739dad2983c6e9b68056.
Updated by nagachika (Tomoyuki Chikanaga) 4 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE
ruby_3_2 a54c717c7a74b91a3cdf20742c355e3ea42052d1 merged revision(s) e04146129ec6898dd6a9739dad2983c6e9b68056, d5080f6e8b77364483ff6727b1065e45e180f05d.
Updated by nagachika (Tomoyuki Chikanaga) 4 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: DONE, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE
Reverted backport commits to ruby_3_2. They introduce failures on build condition with USE_RVARGC=0.
Actions
Like0
Like0Like0Like0Like0Like0Like0