Issue #10957 has been updated by Tomoyuki Chikanaga.

Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: REQUIRED, 2.1: DONE, 2.2: REQUIRED

Backported into `ruby_2_1` branch at r50128.

----------------------------------------
Bug #10957: seg fault in ruby_yyparse () at parse.y:2105 (null ptr / stack overflow)
https://bugs.ruby-lang.org/issues/10957#change-51978

* Author: Brian Carpenter
* Status: Closed
* Priority: High
* Assignee: 
* ruby -v: ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux]
* Backport: 2.0.0: REQUIRED, 2.1: DONE, 2.2: REQUIRED
----------------------------------------
Built ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux] from git source earlier this evening. This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl) and was compiled as follows:

CC=afl-gcc ./configure && AFL_HARDEN=1 make -j8 && make install

Valgrind:

~~~
==41211== Invalid write of size 1
==41211==    at 0x827873: reserve_stack (thread_pthread.c:684)
==41211==    by 0x842871: ruby_init_stack (thread_pthread.c:713)
==41211==    by 0x1337E8: main (main.c:34)
==41211==  Address 0x7fe8010e0 is on thread 1's stack
==41211== 
==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010e0
==41211== 
==41211== Process terminating with default action of signal 11 (SIGSEGV)
==41211==  Access not within mapped region at address 0x7FE8010E0
==41211==    at 0x827873: reserve_stack (thread_pthread.c:684)
==41211==  If you believe this happened as a result of a stack
==41211==  overflow in your program's main thread (unlikely but
==41211==  possible), you can try to increase the size of the
==41211==  main thread stack using the --main-stacksize= flag.
==41211==  The main thread stack size used in this run was 8388608.
==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010d9
==41211== 
==41211== Process terminating with default action of signal 11 (SIGSEGV)
==41211==  Access not within mapped region at address 0x7FE8010D9
==41211==    at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58)
==41211==  If you believe this happened as a result of a stack
==41211==  overflow in your program's main thread (unlikely but
==41211==  possible), you can try to increase the size of the
==41211==  main thread stack using the --main-stacksize= flag.
==41211==  The main thread stack size used in this run was 8388608.
Segmentation fault
~~~

GDB:

~~~
gdb-peda$ file ruby
gdb-peda$ set args test00-min
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6c00700 (LWP 48391)]

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x555556679f20 --> 0xd71c 
RBX: 0xd1 
RCX: 0x0 
RDX: 0x1 
RSI: 0x0 
RDI: 0x0 
RBP: 0xd71c 
RSP: 0x7fffffffbe70 --> 0x7fff000000d1 
RIP: 0x555555f312f8 (<ruby_yyparse+148344>:	mov    r11,QWORD PTR [rsi])
R8 : 0x5555566651c0 --> 0x555556678000 (0x00005555566651c0)
R9 : 0x0 
R10: 0x3900 ('')
R11: 0xfffffffffffa360a 
R12: 0x555556679f20 --> 0xd71c 
R13: 0x7fffffffc120 --> 0x555556679f48 --> 0xb91c 
R14: 0x7fffffffbf6c --> 0x55befb3e026f021d 
R15: 0x555556402060 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555f312ee <ruby_yyparse+148334>:	mov    r12,rax
   0x555555f312f1 <ruby_yyparse+148337>:	mov    QWORD PTR [rax],rbp
   0x555555f312f4 <ruby_yyparse+148340>:	mov    rsi,QWORD PTR [r13-0x10]
=> 0x555555f312f8 <ruby_yyparse+148344>:	mov    r11,QWORD PTR [rsi]
   0x555555f312fb <ruby_yyparse+148347>:	and    r11d,0x7f00
   0x555555f31302 <ruby_yyparse+148354>:	cmp    r11,0x3900
   0x555555f31309 <ruby_yyparse+148361>:	jne    0x555555f0ee47 <ruby_yyparse+7879>
   0x555555f3130f <ruby_yyparse+148367>:	nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffbe70 --> 0x7fff000000d1 
0008| 0x7fffffffbe78 --> 0x555500000000 ('')
0016| 0x7fffffffbe80 --> 0x7fffffffbf60 --> 0xe6004c00020000 
0024| 0x7fffffffbe88 --> 0xd1 
0032| 0x7fffffffbe90 --> 0xc8 
0040| 0x7fffffffbe98 --> 0x0 
0048| 0x7fffffffbea0 --> 0x7fffffffc0f0 --> 0x88cf9f52f8c4423 
0056| 0x7fffffffbea8 --> 0x7fffffffbf60 --> 0xe6004c00020000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555f312f8 in ruby_yyparse () at parse.y:2105
2105				if (nd_type($1) == NODE_LIT && FIXNUM_P($1->nd_lit) &&
gdb-peda$ exploit
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: 8e697703610f21a0a2aaec98723ec089.0b098a66d2dd0257594a0e5fb055f0de
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
Other tags: AccessViolation (21/22)

Hexdump of the 7-byte test case:
0000000 2070 2928 2e2e 0030                    
0000007

System Info: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8

---Files--------------------------------
test00-min (7 Bytes)


-- 
https://bugs.ruby-lang.org/