< :前の番号
^ :番号順リスト
> :次の番号
P :前の記事(スレッド移動)
N :次の記事(スレッド移動)
|<:前のスレッド
>|:次のスレッド
^ :返事先
_:自分への返事
>:同じ返事先を持つ記事(前)
<:同じ返事先を持つ記事(後)
---:分割してスレッド表示、再表示
| :分割して(縦)スレッド表示、再表示
~ :スレッドのフレーム消去
.:インデックス
..:インデックスのインデックス
Issue #10991 has been updated by Usaku NAKAMURA.
Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
At r50667, fixed `ruby_2_1` branch.
The branch is quite different from trunk, so only an essential part of r50057 was picked up.
----------------------------------------
Bug #10991: SIGSEGV in Marshal.load
https://bugs.ruby-lang.org/issues/10991#change-52683
* Author: Martin Carpenter
* Status: Closed
* Priority: Normal
* Assignee:
* ruby -v: ruby 2.2.2p86 (2015-03-03 revision 49825) [x86_64-linux]
* Backport: 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
----------------------------------------
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be `NULL` derefs from `RSTRING_PTR()` (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective.
Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable).
To reproduce from the command line:
ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4
Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).
---Files--------------------------------
Marshal.load_crashes.tgz (2.92 KB)
--
https://bugs.ruby-lang.org/