From: mcarpenter@...
Date: 2015-03-21T10:22:53+00:00
Subject: [ruby-core:68587] [Ruby trunk - Bug #10991] [Open] SIGSEGV in	Marshal.load

Issue #10991 has been reported by Martin Carpenter.

----------------------------------------
Bug #10991: SIGSEGV in Marshal.load
https://bugs.ruby-lang.org/issues/10991

* Author: Martin Carpenter
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.2.2p86 (2015-03-03 revision 49825) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be NULL derefs from RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.

Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).

To reproduce from the command line:

    ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4

Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).


---Files--------------------------------
Marshal.load_crashes.tgz (2.92 KB)


-- 
https://bugs.ruby-lang.org/