From: nobu@... Date: 2018-10-02T12:26:49+00:00 Subject: [ruby-core:89250] [Ruby trunk Bug#15189] Multiple OOB reads (of size 4) in rb_bigzero_p Issue #15189 has been updated by nobu (Nobuyoshi Nakada). Thank you for the report. Your reproducers seem often duplicated, and note that `\0` is treated as the EOF in the parser and anything after it has no effect at all. Reduced (but not smallest) code are: ``` crash01/reproducer:111r+11**-11111161111111 crash02/reproducer:1118111111111**-1111111111111111**1+1==11111 crash03/reproducer:-1111111**-1111*11 - -1111111** -111111111 crash04/reproducer:1118111111111** -1111111111111111**1+11111111111**1 ===111 crash05/reproducer:11** -111155555555555555 -55 !=5-555 crash07/reproducer:1 + 111111111**-1111811111 crash08/reproducer:18111111111**-1111111111111111**1 + 1111111111**-1111**1 crash10/reproducer:-7 - -1111111** -1111**11 crash12/reproducer:1118111111111** -1111111111111111**1 + 1111 - -1111111** -1111*111111111119 crash13/reproducer:1.0i - -1111111** -111111111 crash14/reproducer:11111**111111111**111111 * -11111111111111111111**-111111111111 crash15/reproducer:~1**1111 + -~1**~1**111 crash17/reproducer:11** -1111111**1111 /11i crash18/reproducer:5555i**-5155 - -9111111**-1111**11 crash19/reproducer:111111 < 111111*-11111111111111111111**-1111111111111111 crash20/reproducer:1111**111-11**-11111**11 crash21/reproducer:11**-10111111119-1i -1r ``` ---------------------------------------- Bug #15189: Multiple OOB reads (of size 4) in rb_bigzero_p https://bugs.ruby-lang.org/issues/15189#change-74274 * Author: bannable (Joe Truba) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- An AFL fuzzing session against 6b4d78fc43 this weekend and turned up 17 crashes in rb_bigzero_p. I suspect that all of these are the same underlying bug -- they are all a 4 byte OOB read in rb_bigzero_p -- so I'm including all of them in this single issue. If you'd like me to report each of these separately let me know and I'll happily do that. For each reproducer, I have included: * the reproducer * stdout from ruby * gdb backtrace * valgrind report ---Files-------------------------------- crashes.rb_bigzero_p.zip (104 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: