Project

General

Profile

Actions

Bug #20886

closed

Crash due to double free on regex timeout after stack allocations

Added by jhawthorn (John Hawthorn) 10 days ago. Updated 10 days ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.6 (2024-11-05 revision 75015d4c1f) [x86_64-linux]
[ruby-core:119884]

Description

As of the change from #20650 (1057485) it's possible to crash on a double free due to stk_alloc AKA msa->stack_p being freed twice, once at the end of match_at and a second time in FREE_MATCH_ARG in the parent caller.

It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache.

$ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800'
double free or corruption (!prev)

https://github.com/ruby/ruby/pull/12030

Actions #1

Updated by jhawthorn (John Hawthorn) 10 days ago

  • Status changed from Open to Closed

Applied in changeset git|8409edc4971f34cf0d77c375909c5b8f7b1e058a.


Fix regex timeout double-free after stack_double

As of 10574857ce167869524b97ee862b610928f6272f, it's possible to crash
on a double free due to stk_alloc AKA msa->stack_p being freed
twice, once at the end of match_at and a second time in FREE_MATCH_ARG
in the parent caller.

Fixes [Bug #20886]

Updated by jhawthorn (John Hawthorn) 10 days ago

I've opened a backport PR for Ruby 3.3. I don't believe other versions need a backport as the previous memory leak patches were not backported to the 3.2 branch and a quick test doesn't show the bug reproducing.

https://github.com/ruby/ruby/pull/12063

Actions

Also available in: Atom PDF

Like0
Like0Like0