Issue #10957 has been updated by Brian Carpenter. This bug is still present in ruby 2.3.0dev (2015-04-11 trunk 50237) [x86_64-linux]. The test case in this instance is 6 bytes. Running ruby -e '0..%w.' should trigger it. test00-min:1: unterminated string meets end of file Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x555556651d18 --> 0xd61b RBX: 0x0 RCX: 0x0 RDX: 0x1 RSI: 0x555556651de0 --> 0xb91b RDI: 0x561b RBP: 0xd61b RSP: 0x7fffffffbe70 --> 0x7fff000000d1 RIP: 0x555555f071b4 (<ruby_yyparse+148564>: mov rdi,QWORD PTR [rbx]) R8 : 0x55555663ba00 --> 0x555556650000 (0x000055555663ba00) R9 : 0x3900 ('') R10: 0x3900 ('') R11: 0x5eb R12: 0x555556651d18 --> 0xd61b R13: 0x7fffffffc110 --> 0x0 R14: 0x7fffffffbf68 --> 0x1ec0128021d R15: 0x5555563d8130 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555f071a4 <ruby_yyparse+148548>: mov rdx,QWORD PTR [rsp] 0x555555f071a8 <ruby_yyparse+148552>: lea rsp,[rsp+0x98] 0x555555f071b0 <ruby_yyparse+148560>: mov rbx,QWORD PTR [r13+0x0] => 0x555555f071b4 <ruby_yyparse+148564>: mov rdi,QWORD PTR [rbx] 0x555555f071b7 <ruby_yyparse+148567>: and edi,0x7f00 0x555555f071bd <ruby_yyparse+148573>: cmp rdi,0x3900 0x555555f071c4 <ruby_yyparse+148580>: jne 0x555555ee4c27 <ruby_yyparse+7879> 0x555555f071ca <ruby_yyparse+148586>: xchg ax,ax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffbe70 --> 0x7fff000000d1 0008| 0x7fffffffbe78 --> 0x0 0016| 0x7fffffffbe80 --> 0x7fffffffbf60 --> 0x155005400020000 0024| 0x7fffffffbe88 --> 0xd1 0032| 0x7fffffffbe90 --> 0xc8 0040| 0x7fffffffbe98 --> 0x555500000000 ('') 0048| 0x7fffffffbea0 --> 0x7fffffffc0f0 --> 0x555500000000 ('') 0056| 0x7fffffffbea8 --> 0x7fffffffbf60 --> 0x155005400020000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555555f071b4 in ruby_yyparse () at parse.y:2106 2106 nd_type($3) == NODE_LIT && FIXNUM_P($3->nd_lit)) { ==28563== Invalid write of size 1 ==28563== at 0x827873: reserve_stack (thread_pthread.c:684) ==28563== by 0x842871: ruby_init_stack (thread_pthread.c:713) ==28563== by 0x1337E8: main (main.c:34) ==28563== Address 0x7fe8010e0 is on thread 1's stack ==28563== ==28563== Stack overflow in thread 1: can't grow stack to 0x7fe8010e0 ==28563== ==28563== Process terminating with default action of signal 11 (SIGSEGV) ==28563== Access not within mapped region at address 0x7FE8010E0 ==28563== at 0x827873: reserve_stack (thread_pthread.c:684) ==28563== If you believe this happened as a result of a stack ==28563== overflow in your program's main thread (unlikely but ==28563== possible), you can try to increase the size of the ==28563== main thread stack using the --main-stacksize= flag. ==28563== The main thread stack size used in this run was 8388608. ==28563== Stack overflow in thread 1: can't grow stack to 0x7fe8010d9 ==28563== ==28563== Process terminating with default action of signal 11 (SIGSEGV) ==28563== Access not within mapped region at address 0x7FE8010D9 ==28563== at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58) ==28563== If you believe this happened as a result of a stack ==28563== overflow in your program's main thread (unlikely but ==28563== possible), you can try to increase the size of the ==28563== main thread stack using the --main-stacksize= flag. ==28563== The main thread stack size used in this run was 8388608. Segmentation fault ---------------------------------------- Bug #10957: seg fault in ruby_yyparse () at parse.y:2105 (null ptr / stack overflow) https://bugs.ruby-lang.org/issues/10957#change-52116 * Author: Brian Carpenter * Status: Closed * Priority: High * Assignee: * ruby -v: ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux] * Backport: 2.0.0: REQUIRED, 2.1: DONE, 2.2: REQUIRED ---------------------------------------- Built ruby 2.3.0dev (2015-03-07 trunk 49885) [x86_64-linux] from git source earlier this evening. This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl) and was compiled as follows: CC=afl-gcc ./configure && AFL_HARDEN=1 make -j8 && make install Valgrind: ~~~ ==41211== Invalid write of size 1 ==41211== at 0x827873: reserve_stack (thread_pthread.c:684) ==41211== by 0x842871: ruby_init_stack (thread_pthread.c:713) ==41211== by 0x1337E8: main (main.c:34) ==41211== Address 0x7fe8010e0 is on thread 1's stack ==41211== ==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010e0 ==41211== ==41211== Process terminating with default action of signal 11 (SIGSEGV) ==41211== Access not within mapped region at address 0x7FE8010E0 ==41211== at 0x827873: reserve_stack (thread_pthread.c:684) ==41211== If you believe this happened as a result of a stack ==41211== overflow in your program's main thread (unlikely but ==41211== possible), you can try to increase the size of the ==41211== main thread stack using the --main-stacksize= flag. ==41211== The main thread stack size used in this run was 8388608. ==41211== Stack overflow in thread 1: can't grow stack to 0x7fe8010d9 ==41211== ==41211== Process terminating with default action of signal 11 (SIGSEGV) ==41211== Access not within mapped region at address 0x7FE8010D9 ==41211== at 0x4A226E0: _vgnU_freeres (vg_preloaded.c:58) ==41211== If you believe this happened as a result of a stack ==41211== overflow in your program's main thread (unlikely but ==41211== possible), you can try to increase the size of the ==41211== main thread stack using the --main-stacksize= flag. ==41211== The main thread stack size used in this run was 8388608. Segmentation fault ~~~ GDB: ~~~ gdb-peda$ file ruby gdb-peda$ set args test00-min gdb-peda$ r [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7ffff6c00700 (LWP 48391)] Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x555556679f20 --> 0xd71c RBX: 0xd1 RCX: 0x0 RDX: 0x1 RSI: 0x0 RDI: 0x0 RBP: 0xd71c RSP: 0x7fffffffbe70 --> 0x7fff000000d1 RIP: 0x555555f312f8 (<ruby_yyparse+148344>: mov r11,QWORD PTR [rsi]) R8 : 0x5555566651c0 --> 0x555556678000 (0x00005555566651c0) R9 : 0x0 R10: 0x3900 ('') R11: 0xfffffffffffa360a R12: 0x555556679f20 --> 0xd71c R13: 0x7fffffffc120 --> 0x555556679f48 --> 0xb91c R14: 0x7fffffffbf6c --> 0x55befb3e026f021d R15: 0x555556402060 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555f312ee <ruby_yyparse+148334>: mov r12,rax 0x555555f312f1 <ruby_yyparse+148337>: mov QWORD PTR [rax],rbp 0x555555f312f4 <ruby_yyparse+148340>: mov rsi,QWORD PTR [r13-0x10] => 0x555555f312f8 <ruby_yyparse+148344>: mov r11,QWORD PTR [rsi] 0x555555f312fb <ruby_yyparse+148347>: and r11d,0x7f00 0x555555f31302 <ruby_yyparse+148354>: cmp r11,0x3900 0x555555f31309 <ruby_yyparse+148361>: jne 0x555555f0ee47 <ruby_yyparse+7879> 0x555555f3130f <ruby_yyparse+148367>: nop [------------------------------------stack-------------------------------------] 0000| 0x7fffffffbe70 --> 0x7fff000000d1 0008| 0x7fffffffbe78 --> 0x555500000000 ('') 0016| 0x7fffffffbe80 --> 0x7fffffffbf60 --> 0xe6004c00020000 0024| 0x7fffffffbe88 --> 0xd1 0032| 0x7fffffffbe90 --> 0xc8 0040| 0x7fffffffbe98 --> 0x0 0048| 0x7fffffffbea0 --> 0x7fffffffc0f0 --> 0x88cf9f52f8c4423 0056| 0x7fffffffbea8 --> 0x7fffffffbf60 --> 0xe6004c00020000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555555f312f8 in ruby_yyparse () at parse.y:2105 2105 if (nd_type($1) == NODE_LIT && FIXNUM_P($1->nd_lit) && gdb-peda$ exploit Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: 8e697703610f21a0a2aaec98723ec089.0b098a66d2dd0257594a0e5fb055f0de Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) Hexdump of the 7-byte test case: 0000000 2070 2928 2e2e 0030 0000007 System Info: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8 ---Files-------------------------------- test00-min (7 Bytes) -- https://bugs.ruby-lang.org/