Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jul 2014 15:38:07 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: rdecvalle@...are.com
Subject: Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019]
 [Open] segmentation fault/buffer overrun in pack.c (encodes)

On 07/10/2014 01:45 AM, Ramon de C Valle wrote:
> I believe this should have a CVE assigned.
>
> Begin forwarded message:
>
>> From: <wkwood@...il.com>
>> Subject: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes)
>> Date: July 9, 2014 at 11:40:24 AM GMT-3
>> To: <ruby-core@...y-lang.org>
>> Reply-To: Ruby developers <ruby-core@...y-lang.org>
>>
>> Issue #10019 has been reported by Will Wood.
>>
>> ----------------------------------------
>> Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
>> https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/10019&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=i9HlGlVd0nBJk%2BZe%2FE83Lobm3nDyfJz6diLiqhjIJ8k%3D%0A&s=d306e2eedebf0fbb994e9059e7e7cdccfe735fd21518df0da6bf00045bccc481
>>
>> * Author: Will Wood
>> * Status: Open
>> * Priority: Normal
>> * Assignee:
>> * Category: core
>> * Target version:
>> * ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
>> * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
>> ----------------------------------------
>> While working with an AWS sample I hit a segmentation fault.  The same sample works under 1.9.3.  It appeared to be coming from pack.c function encodes.  After looking at the source there's a 4K buffer allocated on the stack.  I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap.  Anyway, after fixing this my code sample runs fine.  I'm including a patch file and the sample code.
>>
>> ---Files--------------------------------
>> pack.patch (2.74 KB)
>> BucketTest.rb (326 Bytes)
>>
>>
>> --
>> https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=i9HlGlVd0nBJk%2BZe%2FE83Lobm3nDyfJz6diLiqhjIJ8k%3D%0A&s=85d6801be84da3628afd395bab2490b015b184aee10d0635d471b167d41ab70b
>

Hello Ramon,

Thanks for the notification! Have you reviewed the patch in 
<https://bugs.ruby-lang.org/issues/10019>?

I am not sure about this part:

  static void
  encodes(VALUE str, const char *s, long len, int type, int tail_lf)
  {
-    char buff[4096];
+	long bufLen = len + 128;  // enough room
+	char* buff = (char*)malloc(bufLen);
      long i = 0;

Is len specified as part of the incoming data, or is it just the string 
length? Is it not possible to send a string of around 4294967295 in length?

Anyways, from the bug comment it sounded like this is not the final patch.

Cheers,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ