From: "nobu (Nobuyoshi Nakada) via ruby-core" <ruby-core@...>
Date: 2025-12-17T03:02:01+00:00
Subject: [ruby-core:124271] [Ruby Bug#21787] `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access

Issue #21787 has been updated by nobu (Nobuyoshi Nakada).

Subject changed from `IO::Buffer` buffer overf to `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access
Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED

From: https://hackerone.com/reports/3437743

The `IO::Buffer` implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The `io_buffer_validate_range` function assumes that `offset+length` never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows.
Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code.

https://hackerone.com/reports/3437743#activity-38521790
> We decided to fix this as a regular bug since `IO::Buffer` is experimental.

----------------------------------------
Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access
https://bugs.ruby-lang.org/issues/21787#change-115764

* Author: nobu (Nobuyoshi Nakada)
* Status: Open
* Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED
----------------------------------------




-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/