oss-sec mailing list archives
Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes)
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 10 Jul 2014 15:38:07 +1000
On 07/10/2014 01:45 AM, Ramon de C Valle wrote:
I believe this should have a CVE assigned. Begin forwarded message:From: <wkwood () gmail com> Subject: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Date: July 9, 2014 at 11:40:24 AM GMT-3 To: <ruby-core () ruby-lang org> Reply-To: Ruby developers <ruby-core () ruby-lang org> Issue #10019 has been reported by Will Wood. ---------------------------------------- Bug #10019: segmentation fault/buffer overrun in pack.c (encodes) https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/10019&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=i9HlGlVd0nBJk%2BZe%2FE83Lobm3nDyfJz6diLiqhjIJ8k%3D%0A&s=d306e2eedebf0fbb994e9059e7e7cdccfe735fd21518df0da6bf00045bccc481 * Author: Will Wood * Status: Open * Priority: Normal * Assignee: * Category: core * Target version: * ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- While working with an AWS sample I hit a segmentation fault. The same sample works under 1.9.3. It appeared to be coming from pack.c function encodes. After looking at the source there's a 4K buffer allocated on the stack. I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap. Anyway, after fixing this my code sample runs fine. I'm including a patch file and the sample code. ---Files-------------------------------- pack.patch (2.74 KB) BucketTest.rb (326 Bytes) -- https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=i9HlGlVd0nBJk%2BZe%2FE83Lobm3nDyfJz6diLiqhjIJ8k%3D%0A&s=85d6801be84da3628afd395bab2490b015b184aee10d0635d471b167d41ab70b
Hello Ramon,Thanks for the notification! Have you reviewed the patch in <https://bugs.ruby-lang.org/issues/10019>?
I am not sure about this part: static void encodes(VALUE str, const char *s, long len, int type, int tail_lf) { - char buff[4096]; + long bufLen = len + 128; // enough room + char* buff = (char*)malloc(bufLen); long i = 0;Is len specified as part of the incoming data, or is it just the string length? Is it not possible to send a string of around 4294967295 in length?
Anyways, from the bug comment it sounded like this is not the final patch. Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Murray McAllister (Jul 09)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 10)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Kurt Seifried (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 14)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 15)
- Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) cve-assign (Jul 15)
- Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
- Re: Re: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Tomas Hoger (Jul 16)
- Re: Fwd: [ruby-core:63604] [ruby-trunk - Bug #10019] [Open] segmentation fault/buffer overrun in pack.c (encodes) Ramon de C Valle (Jul 10)