[ruby-core:122625] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

* [ruby-core:122625] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete
@ 2025-06-30 11:34 bendrissou (Bachir Bendrissou) via ruby-core
  2025-07-01  6:38 ` [ruby-core:122635] " byroot (Jean Boussier) via ruby-core
  0 siblings, 1 reply; 2+ messages in thread
From: bendrissou (Bachir Bendrissou) via ruby-core @ 2025-06-30 11:34 UTC (permalink / raw)
  To: ruby-core; +Cc: bendrissou (Bachir Bendrissou)

Issue #21461 has been reported by bendrissou (Bachir Bendrissou).

----------------------------------------
Bug #21461: Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete
https://bugs.ruby-lang.org/issues/21461

* Author: bendrissou (Bachir Bendrissou)
* Status: Open
* ruby -v: 3.5.0
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
### Description

An AddressSanitizer (ASan) heap-buffer-overflow occurs in Ruby when:

1. The file contains an invalid magic encoding comment, and

2.  A line with incomplete assignment (e.g. missing right-hand side).

This leads to a crash in pm_parse_errors_format_sort, caused by prism_compile.c accessing a freed or uninitialized memory region.

### Input

```
# -*- coding: abc -*-

$a = 
```

### Expected output
```
unknown or invalid encoding in the magic comment (ArgumentError)
```

### ASAN output
```
=================================================================
==719525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002af88 at pc 0x559137d4f16a bp 0x7ffd85551fe0 sp 0x7ffd85551fd0
WRITE of size 8 at 0x60300002af88 thread T0
    #0 0x559137d4f169 in pm_parse_errors_format_sort ../prism_compile.c:10620
    #1 0x559137d4f169 in pm_parse_errors_format ../prism_compile.c:10687
    #2 0x559137e08753 in pm_parse_process_error ../prism_compile.c:10999
    #3 0x559137e08753 in pm_parse_process ../prism_compile.c:11105
    #4 0x559137e7811d in pm_parse_file ../prism_compile.c:11391
    #5 0x559137960743 in prism_script ../ruby.c:2236
    #6 0x559137960743 in process_options ../ruby.c:2563
    #7 0x55913796228f in ruby_process_options ../ruby.c:3199
    #8 0x5591376a2406 in ruby_options ../eval.c:117
    #9 0x5591376937fe in rb_main ../main.c:42
    #10 0x5591376937fe in main ../main.c:62
    #11 0x7f69beed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #12 0x559137694dcd in _start (/home/program/build/ruby+0x15cdcd)

0x60300002af88 is located 0 bytes to the right of 24-byte region [0x60300002af70,0x60300002af88)
allocated by thread T0 here:
    #0 0x7f69bf427a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x5591377119bd in calloc1 ../gc/default/default.c:1490
    #2 0x5591377119bd in rb_gc_impl_calloc ../gc/default/default.c:8162
    #3 0x5591377119bd in ruby_xcalloc_body ../gc.c:5327

SUMMARY: AddressSanitizer: heap-buffer-overflow ../prism_compile.c:10620 in pm_parse_errors_format_sort
Shadow bytes around the buggy address:
  0x0c067fffd5a0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fffd5b0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffd5c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffd5d0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fffd5e0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fffd5f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==719525==ABORTING
input.rb: [BUG] ASAN error
ruby 3.5.0dev (2025-06-11T18:07:43Z master 970813d982) +PRISM [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000720 DUMMY  [FINISH]


-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- C level backtrace information -------------------------------------------
/lib/x86_64-linux-gnu/libasan.so.5(__interceptor_backtrace+0x40) [0x7f69bf386d40] ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:4022
/home/program/build/ruby(rb_print_backtrace+0x11) [0x559137fceda9] ../vm_dump.c:843
/home/program/build/ruby(rb_vm_bugreport) ../vm_dump.c:1175
/home/program/build/ruby(rb_bug_without_die_internal+0xc3) [0x559137efa4b6] ../error.c:1097
/home/program/build/ruby(rb_bug_without_die) ../error.c:1106
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf44fe58) [0x7f69bf44fe58]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43152c) [0x7f69bf43152c]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf430fa3) [0x7f69bf430fa3]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43238e) [0x7f69bf43238e]
/home/program/build/ruby(pm_parse_errors_format_sort+0x12) [0x559137d4f16a] ../prism_compile.c:10620
/home/program/build/ruby(pm_parse_errors_format) ../prism_compile.c:10687
/home/program/build/ruby(pm_parse_process_error+0x84) [0x559137e08754] ../prism_compile.c:10999
/home/program/build/ruby(pm_parse_process) ../prism_compile.c:11105
/home/program/build/ruby(rbimpl_intern_const+0x0) [0x559137e7811e] ../prism_compile.c:11391
/home/program/build/ruby(pm_parse_file) ../prism_compile.c:11396
/home/program/build/ruby(prism_script+0xa4) [0x559137960744] ../ruby.c:2236
/home/program/build/ruby(process_options) ../ruby.c:2563
/home/program/build/ruby(ruby_process_options+0x3f0) [0x559137962290] ../ruby.c:3199
/home/program/build/ruby(ruby_options+0x2a7) [0x5591376a2407] ../eval.c:117
/home/program/build/ruby(rb_main+0x19) [0x5591376937ff] ../main.c:42
/home/program/build/ruby(main) ../main.c:62
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f69beed2083]
/home/program/build/ruby(_start) [0x559137694dce]

-- Other runtime information -----------------------------------------------

* Loaded script: input.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 fiber.so
    3 rational.so
    4 complex.so
    5 ruby2_keywords.rb
    6 set.rb
```

### Environment

Ruby version: ruby 3.5.0dev (2025-06-11 commit 970813d982) +PRISM

Platform: x86_64-linux

Built from source

Parser backend: Prism (default)






-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [ruby-core:122635] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete
  2025-06-30 11:34 [ruby-core:122625] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete bendrissou (Bachir Bendrissou) via ruby-core
@ 2025-07-01  6:38 ` byroot (Jean Boussier) via ruby-core
  0 siblings, 0 replies; 2+ messages in thread
From: byroot (Jean Boussier) via ruby-core @ 2025-07-01  6:38 UTC (permalink / raw)
  To: ruby-core; +Cc: byroot (Jean Boussier)

Issue #21461 has been updated by byroot (Jean Boussier).

Assignee set to prism

----------------------------------------
Bug #21461: Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete
https://bugs.ruby-lang.org/issues/21461#change-113908

* Author: bendrissou (Bachir Bendrissou)
* Status: Open
* Assignee: prism
* ruby -v: 3.5.0
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
### Description

An AddressSanitizer (ASan) heap-buffer-overflow occurs in Ruby when:

1. The file contains an invalid magic encoding comment, and

2.  A line with incomplete assignment (e.g. missing right-hand side).

This leads to a crash in pm_parse_errors_format_sort, caused by prism_compile.c accessing a freed or uninitialized memory region.

### Input

```
# -*- coding: abc -*-

$a = 
```

### Expected output
```
unknown or invalid encoding in the magic comment (ArgumentError)
```

### ASAN output
```
=================================================================
==719525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002af88 at pc 0x559137d4f16a bp 0x7ffd85551fe0 sp 0x7ffd85551fd0
WRITE of size 8 at 0x60300002af88 thread T0
    #0 0x559137d4f169 in pm_parse_errors_format_sort ../prism_compile.c:10620
    #1 0x559137d4f169 in pm_parse_errors_format ../prism_compile.c:10687
    #2 0x559137e08753 in pm_parse_process_error ../prism_compile.c:10999
    #3 0x559137e08753 in pm_parse_process ../prism_compile.c:11105
    #4 0x559137e7811d in pm_parse_file ../prism_compile.c:11391
    #5 0x559137960743 in prism_script ../ruby.c:2236
    #6 0x559137960743 in process_options ../ruby.c:2563
    #7 0x55913796228f in ruby_process_options ../ruby.c:3199
    #8 0x5591376a2406 in ruby_options ../eval.c:117
    #9 0x5591376937fe in rb_main ../main.c:42
    #10 0x5591376937fe in main ../main.c:62
    #11 0x7f69beed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #12 0x559137694dcd in _start (/home/program/build/ruby+0x15cdcd)

0x60300002af88 is located 0 bytes to the right of 24-byte region [0x60300002af70,0x60300002af88)
allocated by thread T0 here:
    #0 0x7f69bf427a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x5591377119bd in calloc1 ../gc/default/default.c:1490
    #2 0x5591377119bd in rb_gc_impl_calloc ../gc/default/default.c:8162
    #3 0x5591377119bd in ruby_xcalloc_body ../gc.c:5327

SUMMARY: AddressSanitizer: heap-buffer-overflow ../prism_compile.c:10620 in pm_parse_errors_format_sort
Shadow bytes around the buggy address:
  0x0c067fffd5a0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fffd5b0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffd5c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffd5d0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fffd5e0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fffd5f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==719525==ABORTING
input.rb: [BUG] ASAN error
ruby 3.5.0dev (2025-06-11T18:07:43Z master 970813d982) +PRISM [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000720 DUMMY  [FINISH]


-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- C level backtrace information -------------------------------------------
/lib/x86_64-linux-gnu/libasan.so.5(__interceptor_backtrace+0x40) [0x7f69bf386d40] ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:4022
/home/program/build/ruby(rb_print_backtrace+0x11) [0x559137fceda9] ../vm_dump.c:843
/home/program/build/ruby(rb_vm_bugreport) ../vm_dump.c:1175
/home/program/build/ruby(rb_bug_without_die_internal+0xc3) [0x559137efa4b6] ../error.c:1097
/home/program/build/ruby(rb_bug_without_die) ../error.c:1106
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf44fe58) [0x7f69bf44fe58]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43152c) [0x7f69bf43152c]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf430fa3) [0x7f69bf430fa3]
/lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43238e) [0x7f69bf43238e]
/home/program/build/ruby(pm_parse_errors_format_sort+0x12) [0x559137d4f16a] ../prism_compile.c:10620
/home/program/build/ruby(pm_parse_errors_format) ../prism_compile.c:10687
/home/program/build/ruby(pm_parse_process_error+0x84) [0x559137e08754] ../prism_compile.c:10999
/home/program/build/ruby(pm_parse_process) ../prism_compile.c:11105
/home/program/build/ruby(rbimpl_intern_const+0x0) [0x559137e7811e] ../prism_compile.c:11391
/home/program/build/ruby(pm_parse_file) ../prism_compile.c:11396
/home/program/build/ruby(prism_script+0xa4) [0x559137960744] ../ruby.c:2236
/home/program/build/ruby(process_options) ../ruby.c:2563
/home/program/build/ruby(ruby_process_options+0x3f0) [0x559137962290] ../ruby.c:3199
/home/program/build/ruby(ruby_options+0x2a7) [0x5591376a2407] ../eval.c:117
/home/program/build/ruby(rb_main+0x19) [0x5591376937ff] ../main.c:42
/home/program/build/ruby(main) ../main.c:62
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f69beed2083]
/home/program/build/ruby(_start) [0x559137694dce]

-- Other runtime information -----------------------------------------------

* Loaded script: input.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 fiber.so
    3 rational.so
    4 complex.so
    5 ruby2_keywords.rb
    6 set.rb
```

### Environment

Ruby version: ruby 3.5.0dev (2025-06-11 commit 970813d982) +PRISM

Platform: x86_64-linux

Built from source

Parser backend: Prism (default)






-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-07-01  6:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-30 11:34 [ruby-core:122625] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete bendrissou (Bachir Bendrissou) via ruby-core
2025-07-01  6:38 ` [ruby-core:122635] " byroot (Jean Boussier) via ruby-core

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).