From: thoger@...
Date: 2014-07-21T08:36:51+00:00
Subject: [ruby-core:63913] [ruby-trunk - Bug #10019] segmentation fault/buffer overrun in pack.c (encodes)

Issue #10019 has been updated by Tomas Hoger.


Will Wood wrote:

> d:/ruby-2.1.2-i386-mingw32/lib/ruby/gems/2.1.0/gems/aws-sdk-1.48.1/lib/aws/core/signers/s3.rb:59:in `signature'

https://github.com/aws/aws-sdk-ruby/blob/e243394/lib/aws/core/signers/s3.rb#l59

~~~
signature = Base.sign(credentials.secret_access_key, signature, 'sha1')
~~~

> d:/ruby-2.1.2-i386-mingw32/lib/ruby/gems/2.1.0/gems/aws-sdk-1.48.1/lib/aws/core/signers/base.rb:29:in `sign'

https://github.com/aws/aws-sdk-ruby/blob/2feef15/lib/aws/core/signers/base.rb#L29

~~~
Base64.encode64(hmac(secret, string_to_sign, digest_method)).strip
~~~

where `hmac()` is:

https://github.com/aws/aws-sdk-ruby/blob/2feef15/lib/aws/core/signers/base.rb#L38

~~~
def hmac key, value, digest = 'sha256'
    OpenSSL::HMAC.digest(OpenSSL::Digest.new(digest), key, value)
end
~~~

> d:/ruby-2.1.2-i386-mingw32/lib/ruby/2.1.0/base64.rb:38:in `encode64'

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_2_1/lib/base64.rb?revision=44340&view=markup#l38

~~~
[bin].pack("m")
~~~

Value passed to `enode64()` should be short, and of fixed size for a given digest method.  For SHA-1, that's 20 bytes, hence output size is 28+1 bytes.  That should be far from overflowing buff[4096].

Hence the minimal reproducer should be:

~~~
require 'openssl'
digest = OpenSSL::Digest.new('sha1')
hmac_val = OpenSSL::HMAC.digest(digest, 'secret', 'value')
print [hmac_val].pack('m')
~~~

As `encodes()` output size only depend on input size, and not input content, it should not matter what 'secret' and 'value' are.

----------------------------------------
Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
https://bugs.ruby-lang.org/issues/10019#change-47945

* Author: Will Wood
* Status: Feedback
* Priority: Normal
* Assignee: 
* Category: core
* Target version: 
* ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
* Backport: 2.0.0: REQUIRED, 2.1: DONE
----------------------------------------
While working with an AWS sample I hit a segmentation fault.  The same sample works under 1.9.3.  It appeared to be coming from pack.c function encodes.  After looking at the source there's a 4K buffer allocated on the stack.  I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap.  Anyway, after fixing this my code sample runs fine.  I'm including a patch file and the sample code.

---Files--------------------------------
pack.patch (2.74 KB)
BucketTest.rb (326 Bytes)


-- 
https://bugs.ruby-lang.org/