From: nagachika00@... Date: 2016-06-11T17:47:49+00:00 Subject: [ruby-core:75954] [Ruby trunk Bug#12418] Regexp: Segfault due to Invalid Read in regerror.c : to_ascii() Issue #12418 has been updated by Tomoyuki Chikanaga. Backport changed from 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE ruby_2_3 r55384 merged revision(s) 55154. ---------------------------------------- Bug #12418: Regexp: Segfault due to Invalid Read in regerror.c : to_ascii() https://bugs.ruby-lang.org/issues/12418#change-59149 * Author: David Moore * Status: Closed * Priority: Normal * Assignee: * ruby -v: ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] * Backport: 2.1: REQUIRED, 2.2: DONE, 2.3: DONE ---------------------------------------- A crafted regular expression will cause an invalid 4 byte read on 32-bit Ubuntu 14.04. The regular expression has several errors ��� this bug occurs during the process of creating the OnigErrorInfo structure and appears to be an encoding issue. ~~~ grajagandev# cat load-re.rb File.open(ARGV[0]) do |f| @re = Regexp.new("/" + File.read(f) + "/") end grajagandev# cat badread-to_ascii (0?0|(?(5)||)|(?(5)||))? grajagandev# ruby -v ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] grajagandev# uname -a Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux grajagandev# valgrind --max-stackframe=90000000 --track-origins=yes ruby load-re.rb badread-to_ascii ==29929== Memcheck, a memory error detector ==29929== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==29929== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==29929== Command: ruby load-re.rb badread-to_ascii ==29929== ==29929== Use of uninitialised value of size 4 ==29929== at 0x1B4A12: to_ascii (regerror.c:209) ==29929== by 0x1B4C85: onig_error_code_to_str (regerror.c:282) ==29929== by 0x1A0CCA: make_regexp (re.c:876) ==29929== by 0x1A479D: rb_reg_initialize (re.c:2546) ==29929== by 0x1A4905: rb_reg_initialize_str (re.c:2571) ==29929== by 0x1A5BE3: rb_reg_initialize_m (re.c:3071) ==29929== by 0x24315F: call_cfunc_m1 (vm_insnhelper.c:1459) ==29929== by 0x25016A: vm_call0_cfunc_with_frame (vm_eval.c:131) ==29929== by 0x25022A: vm_call0_cfunc (vm_eval.c:148) ==29929== by 0x250382: vm_call0_body (vm_eval.c:186) ==29929== by 0x25001B: vm_call0 (vm_eval.c:61) ==29929== by 0x2509AD: rb_call0 (vm_eval.c:351) ==29929== Uninitialised value was created by a stack allocation ==29929== at 0x1A0C51: make_regexp (re.c:861) ==29929== ==29929== Invalid read of size 4 ==29929== at 0x1B4A12: to_ascii (regerror.c:209) ==29929== by 0x1B4C85: onig_error_code_to_str (regerror.c:282) ==29929== by 0x1A0CCA: make_regexp (re.c:876) ==29929== by 0x1A479D: rb_reg_initialize (re.c:2546) ==29929== by 0x1A4905: rb_reg_initialize_str (re.c:2571) ==29929== by 0x1A5BE3: rb_reg_initialize_m (re.c:3071) ==29929== by 0x24315F: call_cfunc_m1 (vm_insnhelper.c:1459) ==29929== by 0x25016A: vm_call0_cfunc_with_frame (vm_eval.c:131) ==29929== by 0x25022A: vm_call0_cfunc (vm_eval.c:148) ==29929== by 0x250382: vm_call0_body (vm_eval.c:186) ==29929== by 0x25001B: vm_call0 (vm_eval.c:61) ==29929== by 0x2509AD: rb_call0 (vm_eval.c:351) ==29929== Address 0xe is not stack'd, malloc'd or (recently) free'd ==29929== load-re.rb:2: [BUG] Segmentation fault at 0x00000e ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux] -- Control frame information ----------------------------------------------- c:0006 p:---- s:0017 e:000016 CFUNC :initialize c:0005 p:---- s:0015 e:000014 CFUNC :new c:0004 p:0036 s:0011 e:000010 BLOCK load-re.rb:2 [FINISH] c:0003 p:---- s:0008 e:000007 CFUNC :open c:0002 p:0024 s:0004 E:000c60 EVAL load-re.rb:1 [FINISH] c:0001 p:0000 s:0002 E:002708 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- load-re.rb:1:in `
' load-re.rb:1:in `open' load-re.rb:2:in `block in
' load-re.rb:2:in `new' load-re.rb:2:in `initialize' -- Machine register context ------------------------------------------------ GS: 0x0000000b FS: 0x00000000 ES: 0x0000007b DS: 0x0000007b EDI: 0xbee5a45c ESI: 0xbee5a27e EBP: 0xbee5a238 ESP: 0xbee5a210 EBX: 0x003ad000 EDX: 0x00000000 ECX: 0x002a1dcb EAX: 0x00000002 TRA: 0x0000000e ERR: 0x00000004 EIP: 0x001b4a12 CS: 0x00000073 EFL: 0x00000080 UES: 0x00000000 SS: 0x0000007b -- C level backtrace information ------------------------------------------- /usr/local/bin/ruby(rb_print_backtrace+0x28) [0x25c05f] vm_dump.c:688 /usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0x25c599] vm_dump.c:997 /usr/local/bin/ruby(rb_bug_context+0x7f) [0x2afe4c] error.c:435 /usr/local/bin/ruby(sigsegv+0x5c) [0x1d3bdc] signal.c:890 /lib/i386-linux-gnu/libpthread.so.0 [0x485f1e0] /usr/local/bin/ruby(to_ascii+0x15) [0x1b4a12] regerror.c:209 /usr/local/bin/ruby(onig_error_code_to_str+0x93) [0x1b4c86] regerror.c:282 /usr/local/bin/ruby(make_regexp+0x82) [0x1a0ccb] re.c:876 /usr/local/bin/ruby(rb_reg_initialize+0x290) [0x1a479e] re.c:2546 /usr/local/bin/ruby(rb_reg_initialize_str+0xee) [0x1a4906] re.c:2571 /usr/local/bin/ruby(rb_reg_initialize_m+0x3c5) [0x1a5be4] re.c:3071 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0x25016b] vm_eval.c:131 /usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0x25022b] vm_eval.c:148 /usr/local/bin/ruby(vm_call0_body+0x156) [0x250383] vm_eval.c:186 /usr/local/bin/ruby(vm_call0+0x58) [0x25001c] vm_eval.c:61 /usr/local/bin/ruby(rb_call0+0xb5) [0x2509ae] vm_eval.c:351 /usr/local/bin/ruby(rb_call+0x4f) [0x25143f] vm_eval.c:637 /usr/local/bin/ruby(rb_funcallv+0x2e) [0x251ada] vm_eval.c:848 /usr/local/bin/ruby(rb_obj_call_init+0x43) [0x1236f0] eval.c:1307 /usr/local/bin/ruby(rb_class_new_instance+0x39) [0x17db0b] object.c:1856 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1f46) [0x248098] insns.def:995 /usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650 /usr/local/bin/ruby(invoke_block+0xbb) [0x255b66] vm.c:921 /usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0x255ede] vm.c:971 /usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0x255f83] vm.c:988 /usr/local/bin/ruby(vm_yield+0x4d) [0x2560bd] vm.c:1023 /usr/local/bin/ruby(rb_yield_0+0x2e) [0x251f10] vm_eval.c:1010 /usr/local/bin/ruby(rb_yield_1+0x19) [0x251f2f] vm_eval.c:1016 /usr/local/bin/ruby(rb_yield+0x2d) [0x251f5e] vm_eval.c:1026 /usr/local/bin/ruby(rb_ensure+0x10f) [0x122810] eval.c:901 /usr/local/bin/ruby(rb_io_s_open+0x5d) [0x1573c0] io.c:6384 /usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459 /usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638 /usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733 /usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022 /usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146 /usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189 /usr/local/bin/ruby(vm_exec_core+0x1da6) [0x247ef8] insns.def:964 /usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650 /usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0x25863b] vm.c:1893 /usr/local/bin/ruby(ruby_exec_internal+0x123) [0x121235] eval.c:245 /usr/local/bin/ruby(ruby_exec_node+0x28) [0x121343] eval.c:310 /usr/local/bin/ruby(ruby_run_node+0x38) [0x121311] eval.c:302 /usr/local/bin/ruby(main+0x68) [0x11f0b3] main.c:36 -- Other runtime information ----------------------------------------------- * Loaded script: load-re.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so 4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb 7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb 8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb 9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb 10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb 11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb 12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb 13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb 14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb 15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb 16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb 17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb 18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb 20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb 21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb 22 /usr/local/lib/ruby/2.3.0/monitor.rb 23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb 24 /usr/local/lib/ruby/2.3.0/rubygems.rb 25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb 26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb 27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb 28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb 29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb 30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb 31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb 32 /usr/local/lib/ruby/2.3.0/delegate.rb 33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb 34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb 35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb 36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb 37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb 38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb 39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb * Process memory map: 00108000-003aa000 r-xp 00000000 08:07 2498477 /usr/local/bin/ruby 003aa000-003ad000 r--p 002a1000 08:07 2498477 /usr/local/bin/ruby 003ad000-003ae000 rw-p 002a4000 08:07 2498477 /usr/local/bin/ruby 003ae000-003b7000 rw-p 00000000 00:00 0 04000000-04020000 r-xp 00000000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04020000-04021000 r--p 0001f000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04021000-04022000 rw-p 00020000 08:07 917607 /lib/i386-linux-gnu/ld-2.19.so 04022000-04023000 rwxp 00000000 00:00 0 04822000-04824000 rw-p 00000000 00:00 0 04824000-04825000 r-xp 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04825000-04826000 r--p 00000000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04826000-04827000 rw-p 00001000 08:07 2110738 /usr/lib/valgrind/vgpreload_core-x86-linux.so 04827000-04835000 r-xp 00000000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04835000-04836000 r--p 0000d000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04836000-04837000 rw-p 0000e000 08:07 2110703 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so 04837000-04838000 r--p 00855000 08:07 2105916 /usr/lib/locale/locale-archive 04838000-04839000 ---p 00000000 00:00 0 04839000-0483c000 rw-p 00000000 00:00 0 0483c000-0483e000 r-xp 00000000 08:07 2631367 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 0483e000-0483f000 r--p 00001000 08:07 2631367 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 0483f000-04840000 rw-p 00002000 08:07 2631367 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so 04840000-04843000 r-xp 00000000 08:07 2757170 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04843000-04844000 r--p 00002000 08:07 2757170 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04844000-04845000 rw-p 00003000 08:07 2757170 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so 04845000-0484c000 r-xp 00000000 08:07 2499539 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484c000-0484d000 r--p 00006000 08:07 2499539 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484d000-0484e000 rw-p 00007000 08:07 2499539 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so 0484e000-04850000 rw-p 00000000 00:00 0 04850000-04868000 r-xp 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 04868000-04869000 r--p 00018000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 04869000-0486a000 rw-p 00019000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 0486a000-0486c000 rw-p 00000000 00:00 0 0486c000-0486f000 r-xp 00000000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 0486f000-04870000 r--p 00002000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 04870000-04871000 rw-p 00003000 08:07 917601 /lib/i386-linux-gnu/libdl-2.19.so 04871000-04879000 r-xp 00000000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 04879000-0487a000 r--p 00008000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 0487a000-0487b000 rw-p 00009000 08:07 917608 /lib/i386-linux-gnu/libcrypt-2.19.so 0487b000-048a2000 rw-p 00000000 00:00 0 048a2000-048e6000 r-xp 00000000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e6000-048e7000 r--p 00043000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e7000-048e8000 rw-p 00044000 08:07 917509 /lib/i386-linux-gnu/libm-2.19.so 048e8000-04a90000 r-xp 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a90000-04a92000 r--p 001a8000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a92000-04a93000 rw-p 001aa000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 04a93000-04a98000 rw-p 00000000 00:00 0 04a98000-04e98000 rwxp 00000000 00:00 0 04e98000-05098000 r--p 00000000 08:07 2105916 /usr/lib/locale/locale-archive 05098000-05898000 rwxp 00000000 00:00 0 058b0000-058cc000 r-xp 00000000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 058cc000-058cd000 rw-p 0001b000 08:07 917533 /lib/i386-linux-gnu/libgcc_s.so.1 058cd000-05d72000 r--s 00000000 08:07 2498477 /usr/local/bin/ruby 05d72000-05d93000 r--s 00000000 08:07 917596 /lib/i386-linux-gnu/libpthread-2.19.so 05d93000-05e28000 r--s 00000000 08:07 2098869 /usr/lib/debug/lib/i386-linux-gnu/libpthread-2.19.so 05e28000-05fd5000 r--s 00000000 08:07 917604 /lib/i386-linux-gnu/libc-2.19.so 38000000-3837a000 r-xp 00000000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux 3837b000-3837d000 rw-p 0037a000 08:07 2110679 /usr/lib/valgrind/memcheck-x86-linux 3837d000-3946d000 rw-p 00000000 00:00 0 61f2f000-683c2000 rwxp 00000000 00:00 0 683c2000-683c4000 ---p 00000000 00:00 0 683c4000-684c4000 rwxp 00000000 00:00 0 [stack:29929] 684c4000-684c6000 ---p 00000000 00:00 0 684c6000-684c7000 rw-s 00000000 08:07 1708583 /tmp/vgdb-pipe-shared-mem-vgdb-29929-by-root-on-??? 684c7000-6ad1d000 rwxp 00000000 00:00 0 6ad20000-6ad98000 rwxp 00000000 00:00 0 6ad99000-6ae95000 rwxp 00000000 00:00 0 6ae95000-6ae97000 ---p 00000000 00:00 0 6ae97000-6af97000 rwxp 00000000 00:00 0 [stack:30002] 6af97000-6af99000 ---p 00000000 00:00 0 6af99000-6b0cc000 rwxp 00000000 00:00 0 b77a9000-b77ab000 r--p 00000000 00:00 0 [vvar] be65e000-bee5d000 rw-p 00000000 00:00 0 bfe3e000-bfe5f000 rw-p 00000000 00:00 0 [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html ==29929== ==29929== HEAP SUMMARY: ==29929== in use at exit: 2,765,971 bytes in 32,030 blocks ==29929== total heap usage: 52,398 allocs, 20,368 frees, 6,177,662 bytes allocated ==29929== ==29929== LEAK SUMMARY: ==29929== definitely lost: 312 bytes in 3 blocks ==29929== indirectly lost: 3,540 bytes in 70 blocks ==29929== possibly lost: 136 bytes in 1 blocks ==29929== still reachable: 2,761,983 bytes in 31,956 blocks ==29929== suppressed: 0 bytes in 0 blocks ==29929== Rerun with --leak-check=full to see details of leaked memory ==29929== ==29929== For counts of detected and suppressed errors, rerun with: -v ==29929== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Killed ~~~ ---Files-------------------------------- load-re.rb (79 Bytes) badread-to_ascii (25 Bytes) -- https://bugs.ruby-lang.org/ Unsubscribe: