From: usa@...
Date: 2015-05-29T04:47:47+00:00
Subject: [ruby-core:69411] [Ruby trunk - Bug #10991] SIGSEGV in Marshal.load

Issue #10991 has been updated by Usaku NAKAMURA.

Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE

At r50667, fixed `ruby_2_1` branch.
The branch is quite different from trunk, so only an essential part of r50057 was picked up.

----------------------------------------
Bug #10991: SIGSEGV in Marshal.load
https://bugs.ruby-lang.org/issues/10991#change-52683

* Author: Martin Carpenter
* Status: Closed
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.2.2p86 (2015-03-03 revision 49825) [x86_64-linux]
* Backport: 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
----------------------------------------
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be `NULL` derefs from `RSTRING_PTR()` (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.

Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).

To reproduce from the command line:

    ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4

Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).


---Files--------------------------------
Marshal.load_crashes.tgz (2.92 KB)


-- 
https://bugs.ruby-lang.org/