From: takechi101010@... Date: 2018-07-03T12:28:20+00:00 Subject: [ruby-core:87767] [Ruby trunk Bug#14893] Global buffer overflow in signm2signo of signal.c. Issue #14893 has been reported by take-cheeze (Takeshi Watanabe). ---------------------------------------- Bug #14893: Global buffer overflow in signm2signo of signal.c. https://bugs.ruby-lang.org/issues/14893 * Author: take-cheeze (Takeshi Watanabe) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- Found some memory error with address sanitizer: ``` ==29152==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fb96d91983 at pc 0x7f80615106c6 bp 0x7fff6ee86480 sp 0x7fff6ee85c28 #1 0x55fb96aee1e7 in signm983 thread T0 #0 0x7f80615106c5 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x776c5) #1 0x55fb96aee1e7 in signm2signo /home/takeshi/dev/ruby/signal.c:262 #2 0x55fb96af0e81 in trap_signm /home/takeshi/dev/ruby/signal.c:1262 #3 0x55fb96af11c6 in sig_trap /home/takeshi/dev/ruby/signal.c:1378 #4 0x55fb96bd36a9 in call_cfunc_m1 /home/takeshi/dev/ruby/vm_insnhelper.c:1739 #5 0x55fb96bd54d4 in vm_call_cfunc_with_frame /home/takeshi/dev/ruby/vm_insnhelper.c:1934 #6 0x55fb96bd581d in vm_call_cfunc /home/takeshi/dev/ruby/vm_insnhelper.c:1950 #7 0x55fb96bd8a57 in vm_call_method_each_type /home/takeshi/dev/ruby/vm_insnhelper.c:2272 #8 0x55fb96bd9c5e in vm_call_method /home/takeshi/dev/ruby/vm_insnhelper.c:2398 #9 0x55fb96bda0ee in vm_call_general /home/takeshi/dev/ruby/vm_insnhelper.c:2441 #10 0x55fb96bea238 in vm_exec_core /home/takeshi/dev/ruby/insns.def:779 #11 0x55fb96c102cd in vm_exec /home/takeshi/dev/ruby/vm.c:1807 #12 0x55fb96c126c8 in rb_iseq_eval_main /home/takeshi/dev/ruby/vm.c:2066 #13 0x55fb968bca15 in ruby_exec_internal /home/takeshi/dev/ruby/eval.c:261 #14 0x55fb968bcd58 in ruby_exec_node /home/takeshi/dev/ruby/eval.c:325 #15 0x55fb968bccdc in ruby_run_node /home/takeshi/dev/ruby/eval.c:317 #16 0x55fb968b7018 in main main.c:42 #17 0x7f806050d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x55fb968b6e18 in _start (/home/takeshi/dev/ruby/ruby+0xd1e18) ``` Seems like `strlen(sigs->signm)` may be shorter than `len - prefix` in some cases. Made PR too for CI: https://github.com/ruby/ruby/pull/1904 -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>