From: "k0kubun (Takashi Kokubun) via ruby-core" Date: 2025-07-14T21:24:45+00:00 Subject: [ruby-core:122762] [Ruby Bug#21380] Use-After-Free in String#split with In-Block String Modification Issue #21380 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.2: REQUIRED, 3.3: DONE, 3.4: REQUIRED to 3.2: REQUIRED, 3.3: DONE, 3.4: DONE ruby_3_4 commit:fee92000fe96ac2dba0e87c5ed60c7440c8e2117 merged revision(s) commit:fa85d23ff4a02985ebfe0716b0ff768f5b4fe13d. ---------------------------------------- Bug #21380: Use-After-Free in String#split with In-Block String Modification https://bugs.ruby-lang.org/issues/21380#change-114041 * Author: bytesmith (Bachir Bendrissou) * Status: Closed * ruby -v: 3.5.0 * Backport: 3.2: REQUIRED, 3.3: DONE, 3.4: DONE ---------------------------------------- A use-after-free bug can be triggered in Ruby's String#split when the target string is modified within the block passed to split. Ruby version: ``` ./ruby -v ruby 3.5.0dev (2025-05-28T04:34:40Z master d064fd067b) +PRISM [x86_64-linux] ``` Program input: ``` str = "one two" def mutate(s) s.prepend("junk" * 1000) end counter = 0 loop do str.split { mutate(str) } counter += 1 break if counter > 10 end ``` ASAN output: ``` ================================================================= ==30097==ERROR: AddressSanitizer: heap-use-after-free on address 0x526000002fe4 at pc 0x562c9f1bad20 bp 0x7ffc937b5440 sp 0x7ffc937b5430 READ of size 1 at 0x526000002fe4 thread T0 #0 0x562c9f1bad1f in rb_str_split_m ../string.c:9765 #1 0x562c9f2eb9c5 in vm_call_cfunc_with_frame_ ../vm_insnhelper.c:3774 #2 0x562c9f3056f6 in vm_sendish ../vm_insnhelper.c:5971 #3 0x562c9f3543b7 in vm_exec_core ../insns.def:851 #4 0x562c9f32315e in rb_vm_exec ../vm.c:2625 #5 0x562c9f367157 in rb_iseq_eval_main ../vm.c:2905 #6 0x562c9ee6078a in rb_ec_exec_node ../eval.c:281 #7 0x562c9ee67e4d in ruby_run_node ../eval.c:319 #8 0x562c9ee575c1 in rb_main ../main.c:42 #9 0x562c9ee575c1 in main ../main.c:62 #10 0x7f7ecc8811c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667) #11 0x7f7ecc88128a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667) ``` -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/