oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

ruby regression (was: Re: [vendor-sec] Ruby memory corruption bugs in array and string handling)

From: Jonathan Smith <smithj () freethemallocs com>
Date: Tue, 24 Jun 2008 10:37:20 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Since this is public now, I'm CCing oss-security (and trimming the CC
list of people known to be on that list).

My comments are inline...

Drew Yao wrote:

Also in case anyone was wondering about the comments on
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

the ruby version that was released to fix these introduced a regression.

ruby -ve ’str = “A”*(2**16) ; loop{ str << str ; puts str.size }’


The above command does crash for me using ruby 1.8.6p230 on rPath Linux
2 or Foresight Linux 2. However, the test suite ("make test" in the
build dir) passes. It was my understanding that the test suite should
fail, given my reading of the forum thread linked to by the blog post
Drew mentioned above: http://www.ruby-forum.com/topic/157034


causes a crash with 1.8.6p231 and 1.8.7p22.


Where did you get 1.8.6p231? The latest I see is 1.8.6p230, which,
according to upstream's advisory [1], fixes the security issues.


That crash is fixed by this patch
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/string.c?r1=17530&r2=17529&pathrev=17530


Applying that patch, the segfault does go away. I get another
(presumably correct) error message:
- -e:1:in `<<': string sizes too big (ArgumentError)
        from -e:1
        from -e:1:in `loop'
        from -e:1



This issue doesn't exist on versions of Ruby before the recent patches,
because in the old versions, str_buf_append didn't exist. 
rb_str_buf_append takes two RString pointers, so if str and str2 are the
same, when str->ptr gets realloced, str2->ptr also gets realloced.  This
also does not affect the patched version if you used the patches I sent
originally.


Thanks for the info.

[1]:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

        smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkhhPt8ACgkQCG91qXPaRelBOQCggJfnupOAUudgwoGeX5LY7Oq4
yFcAn0+DmKwFv258pEXcoGPE1YtYNRyg
=72d4
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: