[ruby-core:119884] [Ruby master Bug#20886] Crash due to double free on regex timeout after stack allocations

[ruby-core:119884] [Ruby master Bug#20886] Crash due to double free on regex timeout after stack allocations

[jhawthorn (John Hawthorn) via ruby-core]

Issue #20886 has been reported by jhawthorn (John Hawthorn).

----------------------------------------
Bug #20886: Crash due to double free on regex timeout after stack allocations
https://bugs.ruby-lang.org/issues/20886

* Author: jhawthorn (John Hawthorn)
* Status: Open
* ruby -v: ruby 3.3.6 (2024-11-05 revision 75015d4c1f) [x86_64-linux]
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: REQUIRED
----------------------------------------
As of the change from #20650 ([1057485](https://github.com/ruby/ruby/commit/10574857ce167869524b97ee862b610928f6272f)) it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller.

It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache.

```
$ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800'
double free or corruption (!prev)
```

https://github.com/ruby/ruby/pull/12030



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/

[ruby-core:119888] [Ruby master Bug#20886] Crash due to double free on regex timeout after stack allocations

[jhawthorn (John Hawthorn) via ruby-core]

Issue #20886 has been updated by jhawthorn (John Hawthorn).


I've opened a backport PR for Ruby 3.3. I don't believe other versions need a backport as the previous memory leak patches were not backported to the 3.2 branch and a quick test doesn't show the bug reproducing.


https://github.com/ruby/ruby/pull/12063

----------------------------------------
Bug #20886: Crash due to double free on regex timeout after stack allocations
https://bugs.ruby-lang.org/issues/20886#change-110579

* Author: jhawthorn (John Hawthorn)
* Status: Closed
* ruby -v: ruby 3.3.6 (2024-11-05 revision 75015d4c1f) [x86_64-linux]
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: REQUIRED
----------------------------------------
As of the change from #20650 ([1057485](https://github.com/ruby/ruby/commit/10574857ce167869524b97ee862b610928f6272f)) it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller.

It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache.

```
$ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800'
double free or corruption (!prev)
```

https://github.com/ruby/ruby/pull/12030



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/