Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 May 2014 09:03:01 -0700 (PDT)
From: Ramon de C Valle <rdecvalle@...are.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes
 SEGV	with x64-mingw32

I believe this should have a CVE assigned.

----- Forwarded Message -----
> From: nagachika00@...il.com
> To: ruby-core@...y-lang.org
> Sent: Tuesday, May 27, 2014 12:37:27 PM
> Subject: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV	with x64-mingw32
> 
> Issue #9709 has been updated by Tomoyuki Chikanaga.
> 
> Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: REQUIRED to 1.9.3:
> REQUIRED, 2.0.0: DONE, 2.1: DONE
> 
> r45534 was backported into `ruby_2_1` branch at r46187.
> 
> ----------------------------------------
> Bug #9709: Large string causes SEGV with x64-mingw32
> https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/9709%23change-46919&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=129fea02afb2e061f7527c15971c055ab1b9299982fd9d25fc9ac84c6eb3df8d
> 
> * Author: Hiroshi Shirosaki
> * Status: Closed
> * Priority: Normal
> * Assignee:
> * Category:
> * Target version:
> * ruby -v: ruby 2.2.0dev (2014-04-07 trunk 45529) [x64-mingw32]
> * Backport: 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE
> ----------------------------------------
> Creating large string causes SEGV with x64-mingw32 on Windows.
> 
> test.rb
> 
> ~~~
> A = ""
> 1000000.times do |i|
>   A << "a" * 100000
> end
> ~~~
> 
> gdb backtrace of `./miniruby test.rb`
> 
> ~~~
> Program received signal SIGSEGV, Segmentation fault.
> 0x000007fefe88120b in msvcrt!memmove () from C:\Windows\system32\msvcrt.dll
> (gdb) bt
> #0  0x000007fefe88120b in msvcrt!memmove () from
> C:\Windows\system32\msvcrt.dll
> #1  0x000000000054e404 in str_buf_cat (str=str@...ry=115691040,
> ptr=ptr@...ry=0x7b510e0 'a' <repeats 200 times>...,
>     len=len@...ry=100000) at ../../../ruby/string.c:2042
> #2  0x000000000054e90a in rb_enc_cr_str_buf_cat (str=str@...ry=115691040,
> ptr=0x7b510e0 'a' <repeats 200 times>...,
>     len=100000, ptr_encindex=<optimized out>, ptr_cr=ptr_cr@...ry=1048576,
>     ptr_cr_ret=0x22eb10,
>     ptr_cr_ret@...ry=0x22eaf0) at ../../../ruby/string.c:2164
> #3  0x0000000000553c6c in rb_str_buf_append (str=115691040, str2=115660360)
> at ../../../ruby/string.c:2207
> #4  0x0000000000553d9f in rb_str_append (str2=115660360, str=115691040) at
> ../../../ruby/string.c:2220
> #5  rb_str_concat (str1=115691040, str2=115660360) at
> ../../../ruby/string.c:2256
> #6  0x00000000005ac743 in vm_exec_core (th=0x768ce00, th@...ry=0x0,
> initial=initial@...ry=0)
>     at ../../../ruby/insns.def:1824
> #7  0x00000000005ad661 in vm_exec (th=0x0) at ../../../ruby/vm.c:1328
> #8  0x0000000000000000 in ?? ()
> ~~~
> 
> `capa` setting looks wrong in the following code. Here is a patch.
> 
> ~~~
> diff --git a/string.c b/string.c
> index 511374c..8abfc25 100644
> --- a/string.c
> +++ b/string.c
> @@ -2029,7 +2029,7 @@ str_buf_cat(VALUE str, const char *ptr, long len)
>      if (capa <= total) {
>         while (total > capa) {
>             if (capa + termlen >= LONG_MAX / 2) {
> -               capa = (total + 4095) / 4096;
> +               capa = LONG_MAX - termlen;
>                 break;
>             }
>             capa = (capa + termlen) * 2;
> ~~~
> 
> 
> 
> --
> https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=b6f086bbe3874719b7d8fb1428403898f66136119f73522f325030657ca74f44
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ