|
Message-ID: <1830079455.49483433.1401206581231.JavaMail.root@vmware.com> Date: Tue, 27 May 2014 09:03:01 -0700 (PDT) From: Ramon de C Valle <rdecvalle@...are.com> To: oss-security@...ts.openwall.com Subject: Fwd: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV with x64-mingw32 I believe this should have a CVE assigned. ----- Forwarded Message ----- > From: nagachika00@...il.com > To: ruby-core@...y-lang.org > Sent: Tuesday, May 27, 2014 12:37:27 PM > Subject: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV with x64-mingw32 > > Issue #9709 has been updated by Tomoyuki Chikanaga. > > Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: REQUIRED to 1.9.3: > REQUIRED, 2.0.0: DONE, 2.1: DONE > > r45534 was backported into `ruby_2_1` branch at r46187. > > ---------------------------------------- > Bug #9709: Large string causes SEGV with x64-mingw32 > https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/9709%23change-46919&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=129fea02afb2e061f7527c15971c055ab1b9299982fd9d25fc9ac84c6eb3df8d > > * Author: Hiroshi Shirosaki > * Status: Closed > * Priority: Normal > * Assignee: > * Category: > * Target version: > * ruby -v: ruby 2.2.0dev (2014-04-07 trunk 45529) [x64-mingw32] > * Backport: 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE > ---------------------------------------- > Creating large string causes SEGV with x64-mingw32 on Windows. > > test.rb > > ~~~ > A = "" > 1000000.times do |i| > A << "a" * 100000 > end > ~~~ > > gdb backtrace of `./miniruby test.rb` > > ~~~ > Program received signal SIGSEGV, Segmentation fault. > 0x000007fefe88120b in msvcrt!memmove () from C:\Windows\system32\msvcrt.dll > (gdb) bt > #0 0x000007fefe88120b in msvcrt!memmove () from > C:\Windows\system32\msvcrt.dll > #1 0x000000000054e404 in str_buf_cat (str=str@...ry=115691040, > ptr=ptr@...ry=0x7b510e0 'a' <repeats 200 times>..., > len=len@...ry=100000) at ../../../ruby/string.c:2042 > #2 0x000000000054e90a in rb_enc_cr_str_buf_cat (str=str@...ry=115691040, > ptr=0x7b510e0 'a' <repeats 200 times>..., > len=100000, ptr_encindex=<optimized out>, ptr_cr=ptr_cr@...ry=1048576, > ptr_cr_ret=0x22eb10, > ptr_cr_ret@...ry=0x22eaf0) at ../../../ruby/string.c:2164 > #3 0x0000000000553c6c in rb_str_buf_append (str=115691040, str2=115660360) > at ../../../ruby/string.c:2207 > #4 0x0000000000553d9f in rb_str_append (str2=115660360, str=115691040) at > ../../../ruby/string.c:2220 > #5 rb_str_concat (str1=115691040, str2=115660360) at > ../../../ruby/string.c:2256 > #6 0x00000000005ac743 in vm_exec_core (th=0x768ce00, th@...ry=0x0, > initial=initial@...ry=0) > at ../../../ruby/insns.def:1824 > #7 0x00000000005ad661 in vm_exec (th=0x0) at ../../../ruby/vm.c:1328 > #8 0x0000000000000000 in ?? () > ~~~ > > `capa` setting looks wrong in the following code. Here is a patch. > > ~~~ > diff --git a/string.c b/string.c > index 511374c..8abfc25 100644 > --- a/string.c > +++ b/string.c > @@ -2029,7 +2029,7 @@ str_buf_cat(VALUE str, const char *ptr, long len) > if (capa <= total) { > while (total > capa) { > if (capa + termlen >= LONG_MAX / 2) { > - capa = (total + 4095) / 4096; > + capa = LONG_MAX - termlen; > break; > } > capa = (capa + termlen) * 2; > ~~~ > > > > -- > https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=b6f086bbe3874719b7d8fb1428403898f66136119f73522f325030657ca74f44 >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.