From: usa@... Date: 2016-06-08T05:38:10+00:00 Subject: [ruby-core:75896] [Ruby trunk Bug#12420] Regexp: Segfault due to Invalid Read in regparse.c : bbuf_free() Issue #12420 has been updated by Usaku NAKAMURA. Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN to 2.1: WONTFIX, 2.2: REQUIRED, 2.3: REQUIRED ---------------------------------------- Bug #12420: Regexp: Segfault due to Invalid Read in regparse.c : bbuf_free() https://bugs.ruby-lang.org/issues/12420#change-59077 * Author: David Moore * Status: Closed * Priority: Normal * Assignee: * ruby -v: ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] * Backport: 2.1: WONTFIX, 2.2: REQUIRED, 2.3: REQUIRED ---------------------------------------- A crafted regular expression will cause an invalid 4 byte read on 32-bit Ubuntu 14.04. The regular expression fails to close a character class and has an octal space as the first character in the character class. ~~~ grajagandev# cat load-re.rb File.open(ARGV[0]) do |f| @re = Regexp.new("/" + File.read(f) + "/") end grajagandev# xxd badread-bbuf_free 0000000: 5b5c 3430 3030 3030 3030 3030 30 [\40000000000 grajagandev# ruby -v ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] grajagandev# uname -a Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux grajagandev# valgrind --max-stackframe=90000000 ruby load-re.rb badread-bbuf_free ==7692== Memcheck, a memory error detector ==7692== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7692== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==7692== Command: ruby load-re.rb badread-bbuf_free ==7692== ==7692== Invalid read of size 4 ==7692== at 0x1C02EF: bbuf_free (regparse.c:112) ==7692== by 0x1C13AB: onig_node_free (regparse.c:1079) ==7692== by 0x1CD909: parse_branch (regparse.c:6367) ==7692== by 0x1CD9BD: parse_subexp (regparse.c:6395) ==7692== by 0x1CDB5D: parse_regexp (regparse.c:6443) ==7692== by 0x1CDC80: onig_parse_make_tree (regparse.c:6485) ==7692== by 0x1B27C6: onig_compile (regcomp.c:5739) ==7692== by 0x1A0C20: onig_new_with_source (re.c:849) ==7692== by 0x1A0CA8: make_regexp (re.c:873) ==7692== by 0x1A479D: rb_reg_initialize (re.c:2546) ==7692== by 0x1A4905: rb_reg_initialize_str (re.c:2571) ==7692== by 0x1A5BE3: rb_reg_initialize_m (re.c:3071) ==7692== Address 0x1 is not stack'd, malloc'd or (recently) free'd ==7692== load-re.rb:2: [BUG] Segmentation fault at 0x000001 ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] -- Control frame information ----------------------------------------------- c:0006 p:---- s:0017 e:000016 CFUNC :initialize c:0005 p:---- s:0015 e:000014 CFUNC :new c:0004 p:0036 s:0011 e:000010 BLOCK load-re.rb:2 [FINISH] c:0003 p:---- s:0008 e:000007 CFUNC :open c:0002 p:0024 s:0004 E:001848 EVAL load-re.rb:1 [FINISH] c:0001 p:0000 s:0002 E:002708 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- load-re.rb:1:in `
' load-re.rb:1:in `open' load-re.rb:2:in `block in
' load-re.rb:2:in `new' load-re.rb:2:in `initialize' -- Machine register context ------------------------------------------------ GS: 0x0000000b FS: 0x00000000 ES: 0x0000007b DS: 0x0000007b EDI: 0xbe85d260 ESI: 0xbe85d1e8 EBP: 0xbe85d058 ESP: 0xbe85d040 EBX: 0x003ad000 EDX: 0x00000000 ECX: 0x00010000 EAX: 0x00000001 TRA: 0x0000000e ERR: 0x00000004 EIP: 0x001c02ef CS: 0x00000073 EFL: 0x00000000 UES: 0x00000000 SS: 0x0000007b -- C level backtrace information ------------------------------------------- /usr/local/bin/ruby(rb_print_backtrace+0x28) [0x25c05f] vm_dump.c:688 /usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0x25c599] vm_dump.c:997 /usr/local/bin/ruby(rb_bug_context+0x7f) [0x2afe4c] error.c:435 /usr/local/bin/ruby(sigsegv+0x5c) [0x1d3bdc] signal.c:890 /lib/i386-linux-gnu/libpthread.so.0 [0x485f1e0] /usr/local/bin/ruby(bbuf_free+0x1b) [0x1c02ef] regparse.c:112 /usr/local/bin/ruby(onig_node_free+0xe1) [0x1c13ac] regparse.c:1079 /usr/local/bin/ruby(parse_branch+0xe4) [0x1cd90a] regparse.c:6367 /usr/local/bin/ruby(parse_subexp+0x3d) [0x1cd9be] regparse.c:6395 /usr/local/bin/ruby(parse_regexp+0x66) [0x1cdb5e] regparse.c:6443 /usr/local/bin/ruby(onig_parse_make_tree+0x95) [0x1cdc81] regparse.c:6485 /usr/local/bin/ruby(onig_compile+0x114) [0x1b27c7] regcomp.c:5739 /usr/local/bin/ruby(onig_new_with_source+0xa1) [0x1a0c21] re.c:849 /usr/local/bin/ruby(make_regexp+0x60) [0x1a0ca9] re.c:873 /usr/local/bin/ruby(rb_reg_initialize+0x290) [0x1a479e] re.c:2546 /usr/local/bin/ruby(rb_reg_initialize_str+0xee) [0x1a4906] re.c:2571 /usr/local/bin/ruby(rb_reg_initialize_m+0x3c5) [0x1a5be4] re.c:3071 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0x25016b] vm_eval.c:131 /usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0x25022b] vm_eval.c:148 /usr/local/bin/ruby(vm_call0_body+0x156) [0x250383] vm_eval.c:186 /usr/local/bin/ruby(vm_call0+0x58) [0x25001c] vm_eval.c:61 /usr/local/bin/ruby(rb_call0+0xb5) [0x2509ae] vm_eval.c:351 /usr/local/bin/ruby(rb_call+0x4f) [0x25143f] vm_eval.c:637 /usr/local/bin/ruby(rb_funcallv+0x2e) [0x251ada] vm_eval.c:848 /usr/local/bin/ruby(rb_obj_call_init+0x43) [0x1236f0] eval.c:1307 /usr/local/bin/ruby(rb_class_new_instance+0x39) [0x17db0b] object.c:1856 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1f46) [0x248098] insns.def:995 /usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650 /usr/local/bin/ruby(invoke_block+0xbb) [0x255b66] vm.c:921 /usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0x255ede] vm.c:971 /usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0x255f83] vm.c:988 /usr/local/bin/ruby(vm_yield+0x4d) [0x2560bd] vm.c:1023 /usr/local/bin/ruby(rb_yield_0+0x2e) [0x251f10] vm_eval.c:1010 /usr/local/bin/ruby(rb_yield_1+0x19) [0x251f2f] vm_eval.c:1016 /usr/local/bin/ruby(rb_yield+0x2d) [0x251f5e] vm_eval.c:1026 /usr/local/bin/ruby(rb_ensure+0x10f) [0x122810] eval.c:901 /usr/local/bin/ruby(rb_io_s_open+0x5d) [0x1573c0] io.c:6384 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1da6) [0x247ef8] insns.def:964 /usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650 /usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0x25863b] vm.c:1893 /usr/local/bin/ruby(ruby_exec_internal+0x123) [0x121235] eval.c:245 /usr/local/bin/ruby(ruby_exec_node+0x28) [0x121343] eval.c:310 /usr/local/bin/ruby(ruby_run_node+0x38) [0x121311] eval.c:302 /usr/local/bin/ruby(main+0x68) [0x11f0b3] main.c:36 -- Other runtime information ----------------------------------------------- * Loaded script: load-re.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so 4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb 7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb 8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb 9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb 10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb 11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb 12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb 13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb 14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb 15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb 16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb 17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb 18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb 20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb 21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb 22 /usr/local/lib/ruby/2.3.0/monitor.rb 23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb 24 /usr/local/lib/ruby/2.3.0/rubygems.rb 25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb 26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb 27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb 28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb 29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb 30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb 31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb 32 /usr/local/lib/ruby/2.3.0/delegate.rb 33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb 34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb 35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb 36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb 37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb 38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb 39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb * Process memory map: 00108000-003aa000 r-xp 00000000 08:07 2498475 /usr/local/bin/ruby 003aa000-003ad000 r--p 002a1000 08:07 2498475 /usr/local/bin/ruby 003ad000-003ae000 rw-p 002a4000 08:07 2498475 /usr/local/bin/ruby 003ae000-003b7000 rw-p 00000000 00:00 0 04000000-04020000 r-xp 00000000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04020000-04021000 r--p 0001f000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04021000-04022000 rw-p 00020000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04022000-04023000 rwxp 00000000 00:00 0 04822000-04824000 rw-p 00000000 00:00 0 04824000-04825000 r-xp 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04825000-04826000 r--p 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04826000-04827000 rw-p 00001000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04827000-04835000 r-xp 00000000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04835000-04836000 r--p 0000d000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04836000-04837000 rw-p 0000e000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04837000-04838000 r--p 00855000 08:07 2105916 /usr/lib/locale/locale-archive 04838000-04839000 ---p 00000000 00:00 0 04839000-0483c000 rw-p 00000000 00:00 0 0483c000-0483e000 r-xp 00000000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 0483e000-0483f000 r--p 00001000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 0483f000-04840000 rw-p 00002000 08:07 2627104 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 04840000-04843000 r-xp 00000000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04843000-04844000 r--p 00002000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04844000-04845000 rw-p 00003000 08:07 2754595 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04845000-0484c000 r-xp 00000000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484c000-0484d000 r--p 00006000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484d000-0484e000 rw-p 00007000 08:07 2499538 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484e000-04850000 rw-p 00000000 00:00 0 04850000-04868000 r-xp 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 04868000-04869000 r--p 00018000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 04869000-0486a000 rw-p 00019000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 0486a000-0486c000 rw-p 00000000 00:00 0 0486c000-0486f000 r-xp 00000000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 0486f000-04870000 r--p 00002000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 04870000-04871000 rw-p 00003000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 04871000-04879000 r-xp 00000000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 04879000-0487a000 r--p 00008000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 0487a000-0487b000 rw-p 00009000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 0487b000-048a2000 rw-p 00000000 00:00 0 048a2000-048e6000 r-xp 00000000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e6000-048e7000 r--p 00043000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e7000-048e8000 rw-p 00044000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e8000-04a90000 r-xp 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a90000-04a92000 r--p 001a8000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a92000-04a93000 rw-p 001aa000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a93000-04a98000 rw-p 00000000 00:00 0 04a98000-04e98000 rwxp 00000000 00:00 0 04e98000-05098000 r--p 00000000 08:07 2105916 /usr/lib/locale/locale-archive 05098000-05898000 rwxp 00000000 00:00 0 058b0000-058cc000 r-xp 00000000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 058cc000-058cd000 rw-p 0001b000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 058cd000-05d72000 r--s 00000000 08:07 2498475 /usr/local/bin/ruby 05d72000-05d93000 r--s 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 05d93000-05e28000 r--s 00000000 08:07 2098869 /usr/lib/debug/lib/i386-linux-gnu/libpthread-2.19.so 05e28000-05fd5000 r--s 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 38000000-3837a000 r-xp 00000000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux 3837b000-3837d000 rw-p 0037a000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux 3837d000-3946d000 rw-p 00000000 00:00 0 61c31000-628c4000 rwxp 00000000 00:00 0 628c4000-628c6000 ---p 00000000 00:00 0 628c6000-629c6000 rwxp 00000000 00:00 0 [stack:7692] 629c6000-629c8000 ---p 00000000 00:00 0 629c8000-629c9000 rw-s 00000000 08:07 1708958 /tmp/vgdb-pipe-shared-mem-vgdb-7692-by-root-on-??? 629c9000-6521f000 rwxp 00000000 00:00 0 65222000-6529a000 rwxp 00000000 00:00 0 6529b000-65397000 rwxp 00000000 00:00 0 65397000-65399000 ---p 00000000 00:00 0 65399000-65499000 rwxp 00000000 00:00 0 [stack:7693] 65499000-6549b000 ---p 00000000 00:00 0 6549b000-655b8000 rwxp 00000000 00:00 0 b77b8000-b77ba000 r--p 00000000 00:00 0 [vvar] be061000-be860000 rw-p 00000000 00:00 0 bf840000-bf861000 rw-p 00000000 00:00 0 [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html ==7692== ==7692== HEAP SUMMARY: ==7692== in use at exit: 2,766,355 bytes in 32,032 blocks ==7692== total heap usage: 52,398 allocs, 20,366 frees, 6,177,813 bytes allocated ==7692== ==7692== LEAK SUMMARY: ==7692== definitely lost: 312 bytes in 3 blocks ==7692== indirectly lost: 3,540 bytes in 70 blocks ==7692== possibly lost: 136 bytes in 1 blocks ==7692== still reachable: 2,762,367 bytes in 31,958 blocks ==7692== suppressed: 0 bytes in 0 blocks ==7692== Rerun with --leak-check=full to see details of leaked memory ==7692== ==7692== For counts of detected and suppressed errors, rerun with: -v ==7692== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Killed ~~~ ---Files-------------------------------- load-re.rb (79 Bytes) badread-bbuf_free (13 Bytes) -- https://bugs.ruby-lang.org/ Unsubscribe: