* [ruby-dev:48253] [ruby-trunk - Bug #9868] [Open] bigdecimal#VpAlloc causes out-of-bounds read
[not found] <redmine.issue-9868.20140527154802@ruby-lang.org>
@ 2014-05-27 15:48 ` mame
2014-05-28 2:27 ` [ruby-dev:48255] [ruby-trunk - Bug #9868] " nobu
2019-08-11 19:44 ` [ruby-dev:50833] [Ruby master Bug#9868] " merch-redmine
2 siblings, 0 replies; 3+ messages in thread
From: mame @ 2014-05-27 15:48 UTC (permalink / raw)
To: ruby-dev
Issue #9868 has been reported by Yusuke Endoh.
----------------------------------------
Bug #9868: bigdecimal#VpAlloc causes out-of-bounds read
https://bugs.ruby-lang.org/issues/9868
* Author: Yusuke Endoh
* Status: Open
* Priority: Normal
* Assignee: Kenta Murata
* Category: ext
* Target version: current: 2.2.0
* ruby -v: ruby 2.2.0dev (2014-05-25 trunk 46107) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
以下のようなパッチを当てて
~~~
diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c
index 44e13a4..400dda0 100644
--- a/ext/bigdecimal/bigdecimal.c
+++ b/ext/bigdecimal/bigdecimal.c
@@ -3911,6 +3911,7 @@ VpAlloc(size_t mx, const char *szVal)
}
/* Skip trailing spaces */
while (--i > 0) {
+ printf("dereference psz[%lu]\n", i);
if (ISSPACE(psz[i])) psz[i] = 0;
else break;
}
~~~
以下のようなコードを実行すると、
~~~
$ ./ruby -I .ext/x86_64-linux/ -I . -I lib -r bigdecimal -e 'p BigDecimal.new("#")'
dereference psz[1]
dereference psz[8]
dereference psz[2]
dereference psz[18446744073709551615]
#<BigDecimal:7f06266cb820,'0.0',9(9)>
~~~
見るからにまずそうなデリファレンスが行われていることが観察されます。
Coverity Scan が見つけてくれました。
--
Yusuke Endoh <mame@ruby-lang.org>
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-dev:48255] [ruby-trunk - Bug #9868] bigdecimal#VpAlloc causes out-of-bounds read
[not found] <redmine.issue-9868.20140527154802@ruby-lang.org>
2014-05-27 15:48 ` [ruby-dev:48253] [ruby-trunk - Bug #9868] [Open] bigdecimal#VpAlloc causes out-of-bounds read mame
@ 2014-05-28 2:27 ` nobu
2019-08-11 19:44 ` [ruby-dev:50833] [Ruby master Bug#9868] " merch-redmine
2 siblings, 0 replies; 3+ messages in thread
From: nobu @ 2014-05-28 2:27 UTC (permalink / raw)
To: ruby-dev
Issue #9868 has been updated by Nobuyoshi Nakada.
Description updated
`i--`ですかね。
その次の`ISSPACE()`までループの条件に入れてしまったほうがいい気がしますが。
----------------------------------------
Bug #9868: bigdecimal#VpAlloc causes out-of-bounds read
https://bugs.ruby-lang.org/issues/9868#change-46931
* Author: Yusuke Endoh
* Status: Open
* Priority: Normal
* Assignee: Kenta Murata
* Category: ext
* Target version: current: 2.2.0
* ruby -v: ruby 2.2.0dev (2014-05-25 trunk 46107) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
以下のようなパッチを当てて
~~~diff
diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c
index 44e13a4..400dda0 100644
--- a/ext/bigdecimal/bigdecimal.c
+++ b/ext/bigdecimal/bigdecimal.c
@@ -3911,6 +3911,7 @@ VpAlloc(size_t mx, const char *szVal)
}
/* Skip trailing spaces */
while (--i > 0) {
+ printf("dereference psz[%lu]\n", i);
if (ISSPACE(psz[i])) psz[i] = 0;
else break;
}
~~~
以下のようなコードを実行すると、
~~~
$ ./ruby -I .ext/x86_64-linux/ -I . -I lib -r bigdecimal -e 'p BigDecimal.new("#")'
dereference psz[1]
dereference psz[8]
dereference psz[2]
dereference psz[18446744073709551615]
#<BigDecimal:7f06266cb820,'0.0',9(9)>
~~~
見るからにまずそうなデリファレンスが行われていることが観察されます。
Coverity Scan が見つけてくれました。
--
Yusuke Endoh <mame@ruby-lang.org>
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-dev:50833] [Ruby master Bug#9868] bigdecimal#VpAlloc causes out-of-bounds read
[not found] <redmine.issue-9868.20140527154802@ruby-lang.org>
2014-05-27 15:48 ` [ruby-dev:48253] [ruby-trunk - Bug #9868] [Open] bigdecimal#VpAlloc causes out-of-bounds read mame
2014-05-28 2:27 ` [ruby-dev:48255] [ruby-trunk - Bug #9868] " nobu
@ 2019-08-11 19:44 ` merch-redmine
2 siblings, 0 replies; 3+ messages in thread
From: merch-redmine @ 2019-08-11 19:44 UTC (permalink / raw)
To: ruby-dev
Issue #9868 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Closed
I think this is fixed by https://github.com/ruby/bigdecimal/commit/e738c1377108baa0c2fd03cdee0eeb1239f627b2.
----------------------------------------
Bug #9868: bigdecimal#VpAlloc causes out-of-bounds read
https://bugs.ruby-lang.org/issues/9868#change-80614
* Author: mame (Yusuke Endoh)
* Status: Closed
* Priority: Normal
* Assignee: mrkn (Kenta Murata)
* Target version:
* ruby -v: ruby 2.2.0dev (2014-05-25 trunk 46107) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
以下のようなパッチを当てて
~~~diff
diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c
index 44e13a4..400dda0 100644
--- a/ext/bigdecimal/bigdecimal.c
+++ b/ext/bigdecimal/bigdecimal.c
@@ -3911,6 +3911,7 @@ VpAlloc(size_t mx, const char *szVal)
}
/* Skip trailing spaces */
while (--i > 0) {
+ printf("dereference psz[%lu]\n", i);
if (ISSPACE(psz[i])) psz[i] = 0;
else break;
}
~~~
以下のようなコードを実行すると、
~~~
$ ./ruby -I .ext/x86_64-linux/ -I . -I lib -r bigdecimal -e 'p BigDecimal.new("#")'
dereference psz[1]
dereference psz[8]
dereference psz[2]
dereference psz[18446744073709551615]
#<BigDecimal:7f06266cb820,'0.0',9(9)>
~~~
見るからにまずそうなデリファレンスが行われていることが観察されます。
Coverity Scan が見つけてくれました。
--
Yusuke Endoh <mame@ruby-lang.org>
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-11 19:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-9868.20140527154802@ruby-lang.org>
2014-05-27 15:48 ` [ruby-dev:48253] [ruby-trunk - Bug #9868] [Open] bigdecimal#VpAlloc causes out-of-bounds read mame
2014-05-28 2:27 ` [ruby-dev:48255] [ruby-trunk - Bug #9868] " nobu
2019-08-11 19:44 ` [ruby-dev:50833] [Ruby master Bug#9868] " merch-redmine
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).