From: joe@... Date: 2018-09-28T22:56:09+00:00 Subject: [ruby-core:89212] [Ruby trunk Bug#15175] Segfault (Invalid read of size 4) in rb_bigzero_p Issue #15175 has been reported by bannable (Joe Truba). ---------------------------------------- Bug #15175: Segfault (Invalid read of size 4) in rb_bigzero_p https://bugs.ruby-lang.org/issues/15175 * Author: bannable (Joe Truba) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.6.0dev (2018-09-28 trunk 64874) [x86_64-linux] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- My build is built with jemalloc, but the crash also happens without. Note: this error only happens when ruby is run with --disable=gems. I'm unsure why. Reproducer: ~~~ jtruba@sf201:~/rubies/ruby-trunk-clean$ cat poc V = 1118111111111 ** -1111 ** 1111 / 111111111 jtruba@sf201:~/rubies/ruby-trunk-clean$ ~~~ Crash and valgrind report ~~~ jtruba@sf201:~/rubies/ruby-trunk-clean$ valgrind --max-stackframe=9000000 ./ruby --disable=gems ./poc ==18033== Memcheck, a memory error detector ==18033== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==18033== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==18033== Command: ./ruby --disable=gems ./poc ==18033== ./poc:1: warning: in a**b, b may be too big ==18033== Invalid read of size 4 ==18033== at 0x2F8E42: rb_bigzero_p (bignum.c:2910) ==18033== by 0x203EDB: f_gcd_normal (rational.c:323) ==18033== by 0x203EDB: f_gcd (rational.c:359) ==18033== by 0x203EDB: f_muldiv (rational.c:839) ==18033== by 0x2B92E1: vm_call_cfunc_with_frame (vm_insnhelper.c:1958) ==18033== by 0x2B92E1: vm_call_cfunc (vm_insnhelper.c:1974) ==18033== by 0x2C3782: vm_call_method (vm_insnhelper.c:2448) ==18033== by 0x2CA44B: vm_exec_core (insns.def:767) ==18033== by 0x2C0D30: rb_vm_exec (vm.c:1812) ==18033== by 0x12E5A6: ruby_exec_internal (eval.c:261) ==18033== by 0x132C0A: ruby_exec_node (eval.c:325) ==18033== by 0x132C0A: ruby_run_node (eval.c:317) ==18033== by 0x12D97E: main (main.c:42) ==18033== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==18033== ./poc:1: [BUG] Segmentation fault at 0x0000000000000000 ruby 2.6.0dev (2018-09-28 trunk 64874) [x86_64-linux] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0011 e:000010 CFUNC :/ c:0002 p:0020 s:0006 e:000005 EVAL ./poc:1 [FINISH] c:0001 p:0000 s:0003 E:0026d0 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- ./poc:1:in `
' ./poc:1:in `/' -- Machine register context ------------------------------------------------ RIP: 0x00000000002f8e42 RBP: 0x0000000006d932c0 RSP: 0x0000000ffefffb88 RAX: 0x0000000000000001 RBX: 0x0000000006d93220 RCX: 0x0000000000000003 RDX: 0xfff0000000000000 RDI: 0x0000000000000000 RSI: 0x0000000000000000 R8: 0x0000000000000001 R9: 0x0000000006d932c1 R10: 0x0000000000000000 R11: 0x0000000000000000 R12: 0x0000000000000003 R13: 0x0000000000000003 R14: 0x000000000d3ed78f R15: 0x0000000006d93298 EFL: 0x0000000000000084 -- C level backtrace information ------------------------------------------- /home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_bugreport+0x53e) [0x3720ce] vm_dump.c:715 /home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bug_context+0xe4) [0x3660e4] error.c:610 /home/jtruba/rubies/ruby-trunk-clean/ruby(sigsegv+0x42) [0x242c62] signal.c:998 /lib/x86_64-linux-gnu/libpthread.so.0(0x5065390) [0x5065390] /home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bigzero_p+0x42) [0x2f8e42] bignum.c:2910 /home/jtruba/rubies/ruby-trunk-clean/ruby(f_muldiv+0x45c) [0x203edc] rational.c:323 /home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_cfunc+0x102) [0x2b92e2] vm_insnhelper.c:1958 /home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_method+0xf3) [0x2c3783] vm_insnhelper.c:2448 /home/jtruba/rubies/ruby-trunk-clean/ruby(vm_exec_core+0x12c) [0x2ca44c] /home/jtruba/rubies/ruby-trunk-clean/insns.def:767 /home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_exec+0xb1) [0x2c0d31] vm.c:1812 /home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_exec_internal+0xd7) [0x12e5a7] eval.c:261 /home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_run_node+0x3b) [0x132c0b] eval.c:325 /home/jtruba/rubies/ruby-trunk-clean/ruby(main+0x6f) [0x12d97f] ./main.c:42 -- Other runtime information ----------------------------------------------- * Loaded script: ./poc * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so * Process memory map: 00108000-00459000 r-xp 00000000 00:28 1098522479 /home/jtruba/rubies/ruby-trunk-clean/ruby 00658000-0065d000 r--p 00350000 00:28 1098522479 /home/jtruba/rubies/ruby-trunk-clean/ruby 0065d000-0065e000 rw-p 00355000 00:28 1098522479 /home/jtruba/rubies/ruby-trunk-clean/ruby 0065e000-00670000 rw-p 00000000 00:00 0 04000000-04026000 r-xp 00000000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so 04026000-04027000 rw-p 00000000 00:00 0 04044000-0404a000 rw-p 00000000 00:00 0 0404a000-0406c000 r--s 00000000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so 04225000-04226000 r--p 00025000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so 04226000-04227000 rw-p 00026000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so 04227000-04228000 rw-p 00000000 00:00 0 04228000-04229000 rwxp 00000000 00:00 0 04a28000-04a29000 r-xp 00000000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04a29000-04c28000 ---p 00001000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c28000-04c29000 r--p 00000000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c29000-04c2a000 rw-p 00001000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c2a000-04c39000 r-xp 00000000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04c39000-04e38000 ---p 0000f000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e38000-04e39000 r--p 0000e000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e39000-04e3a000 rw-p 0000f000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e3a000-04e53000 r-xp 00000000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8 04e53000-05052000 ---p 00019000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8 05052000-05053000 r--p 00018000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8 05053000-05054000 rw-p 00019000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8 05054000-0506c000 r-xp 00000000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so 0506c000-0526b000 ---p 00018000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so 0526b000-0526c000 r--p 00017000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so 0526c000-0526d000 rw-p 00018000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so 0526d000-05271000 rw-p 00000000 00:00 0 05271000-05278000 r-xp 00000000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so 05278000-05477000 ---p 00007000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so 05477000-05478000 r--p 00006000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so 05479000-054ac000 r-xp 00000000 08:02 49415854 /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 054ac000-056ac000 ---p 00033000 08:02 49415854 /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 056ac000-056ae000 r--p 00033000 08:02 49415854 /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 056ae000-056af000 rw-p 00035000 08:02 49415854 /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 056af000-056b0000 rw-p 00000000 00:00 0 056b0000-0572f000 r-xp 00000000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0 0572f000-0592e000 ---p 0007f000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0 0592e000-0592f000 r--p 0007e000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0 0592f000-05930000 rw-p 0007f000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0 05930000-05933000 r-xp 00000000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so 05933000-05b32000 ---p 00003000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so 05b32000-05b33000 r--p 00002000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so 05b33000-05b34000 rw-p 00003000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so 05b34000-05b3d000 r-xp 00000000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05b3d000-05d3c000 ---p 00009000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05d3c000-05d3d000 r--p 00008000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05d3d000-05d3e000 rw-p 00009000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05d3e000-05d6c000 rw-p 00000000 00:00 0 05d6c000-05e74000 r-xp 00000000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so 05e74000-06073000 ---p 00108000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so 06073000-06074000 r--p 00107000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so 06074000-06075000 rw-p 00108000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so 06075000-06235000 r-xp 00000000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so 06235000-06435000 ---p 001c0000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so 06435000-06439000 r--p 001c0000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so 06439000-0643b000 rw-p 001c4000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so 0643b000-0643f000 rw-p 00000000 00:00 0 0643f000-06717000 r--p 00000000 08:02 49416224 /usr/lib/locale/locale-archive 06800000-07000000 rw-p 00000000 00:00 0 07000000-07016000 r-xp 00000000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1 07016000-07215000 ---p 00016000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1 07215000-07216000 rw-p 00015000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1 07216000-08383000 r--s 00000000 00:28 1098522479 /home/jtruba/rubies/ruby-trunk-clean/ruby 08383000-0854c000 r--s 00000000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so 38000000-3821f000 r-xp 00000000 08:02 49420448 /usr/lib/valgrind/memcheck-amd64-linux 3841f000-38422000 rw-p 0021f000 08:02 49420448 /usr/lib/valgrind/memcheck-amd64-linux 38422000-395d8000 rw-p 00000000 00:00 0 802001000-802acc000 rwxp 00000000 00:00 0 802acc000-802adc000 rwxp 00000000 00:00 0 802adc000-802af8000 rwxp 00000000 00:00 0 802af8000-802b24000 rwxp 00000000 00:00 0 802b8c000-802ba4000 rwxp 00000000 00:00 0 802ba8000-802bac000 rwxp 00000000 00:00 0 802bac000-802bae000 ---p 00000000 00:00 0 802bae000-802cae000 rwxp 00000000 00:00 0 802cae000-802cb0000 ---p 00000000 00:00 0 802cb0000-802cb1000 rw-s 00000000 08:02 32246066 /tmp/vgdb-pipe-shared-mem-vgdb-18033-by-jtruba-on-??? 802cbd000-802edd000 rwxp 00000000 00:00 0 802edd000-802f25000 rwxp 00000000 00:00 0 802fb2000-80349e000 rwxp 00000000 00:00 0 80359e000-80369e000 rwxp 00000000 00:00 0 80379b000-805ac6000 rwxp 00000000 00:00 0 805bc6000-8060c6000 rwxp 00000000 00:00 0 8063bb000-8065df000 rwxp 00000000 00:00 0 ffe802000-fff001000 rw-p 00000000 00:00 0 7fffc03f2000-7fffc0413000 rw-p 00000000 00:00 0 [stack] 7fffc04e0000-7fffc04e3000 r--p 00000000 00:00 0 [vvar] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: https://www.ruby-lang.org/bugreport.html ==18033== ==18033== Process terminating with default action of signal 6 (SIGABRT) ==18033== at 0x60AA428: raise (raise.c:54) ==18033== by 0x60AC029: abort (abort.c:89) ==18033== by 0x3660F0: die (error.c:582) ==18033== by 0x3660F0: rb_bug_context (error.c:612) ==18033== by 0x242C61: sigsegv (signal.c:998) ==18033== by 0x506538F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so) ==18033== by 0x2F8E41: rb_bigzero_p (bignum.c:2910) ==18033== ==18033== HEAP SUMMARY: ==18033== in use at exit: 0 bytes in 0 blocks ==18033== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==18033== ==18033== All heap blocks were freed -- no leaks are possible ==18033== ==18033== For counts of detected and suppressed errors, rerun with: -v ==18033== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Aborted (core dumped) ~~~ This was discovered using afl-fuzz. -- https://bugs.ruby-lang.org/ Unsubscribe: