Issue #15175 has been reported by bannable (Joe Truba).

----------------------------------------
Bug #15175: Segfault (Invalid read of size 4) in rb_bigzero_p
https://bugs.ruby-lang.org/issues/15175

* Author: bannable (Joe Truba)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-09-28 trunk 64874) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
My build is built with jemalloc, but the crash also happens without.

Note: this error only happens when ruby is run with --disable=gems. I'm unsure why.

Reproducer:
~~~
jtruba@sf201:~/rubies/ruby-trunk-clean$ cat poc
V = 1118111111111 ** -1111 ** 1111 / 111111111
jtruba@sf201:~/rubies/ruby-trunk-clean$
~~~

Crash and valgrind report
~~~
jtruba@sf201:~/rubies/ruby-trunk-clean$ valgrind --max-stackframe=9000000 ./ruby --disable=gems ./poc
==18033== Memcheck, a memory error detector
==18033== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==18033== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==18033== Command: ./ruby --disable=gems ./poc
==18033==
./poc:1: warning: in a**b, b may be too big
==18033== Invalid read of size 4
==18033==    at 0x2F8E42: rb_bigzero_p (bignum.c:2910)
==18033==    by 0x203EDB: f_gcd_normal (rational.c:323)
==18033==    by 0x203EDB: f_gcd (rational.c:359)
==18033==    by 0x203EDB: f_muldiv (rational.c:839)
==18033==    by 0x2B92E1: vm_call_cfunc_with_frame (vm_insnhelper.c:1958)
==18033==    by 0x2B92E1: vm_call_cfunc (vm_insnhelper.c:1974)
==18033==    by 0x2C3782: vm_call_method (vm_insnhelper.c:2448)
==18033==    by 0x2CA44B: vm_exec_core (insns.def:767)
==18033==    by 0x2C0D30: rb_vm_exec (vm.c:1812)
==18033==    by 0x12E5A6: ruby_exec_internal (eval.c:261)
==18033==    by 0x132C0A: ruby_exec_node (eval.c:325)
==18033==    by 0x132C0A: ruby_run_node (eval.c:317)
==18033==    by 0x12D97E: main (main.c:42)
==18033==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18033==
./poc:1: [BUG] Segmentation fault at 0x0000000000000000
ruby 2.6.0dev (2018-09-28 trunk 64874) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0011 e:000010 CFUNC  :/
c:0002 p:0020 s:0006 e:000005 EVAL   ./poc:1 [FINISH]
c:0001 p:0000 s:0003 E:0026d0 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
./poc:1:in `<main>'
./poc:1:in `/'

-- Machine register context ------------------------------------------------
 RIP: 0x00000000002f8e42 RBP: 0x0000000006d932c0 RSP: 0x0000000ffefffb88
 RAX: 0x0000000000000001 RBX: 0x0000000006d93220 RCX: 0x0000000000000003
 RDX: 0xfff0000000000000 RDI: 0x0000000000000000 RSI: 0x0000000000000000
  R8: 0x0000000000000001  R9: 0x0000000006d932c1 R10: 0x0000000000000000
 R11: 0x0000000000000000 R12: 0x0000000000000003 R13: 0x0000000000000003
 R14: 0x000000000d3ed78f R15: 0x0000000006d93298 EFL: 0x0000000000000084

-- C level backtrace information -------------------------------------------
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_bugreport+0x53e) [0x3720ce] vm_dump.c:715
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bug_context+0xe4) [0x3660e4] error.c:610
/home/jtruba/rubies/ruby-trunk-clean/ruby(sigsegv+0x42) [0x242c62] signal.c:998
/lib/x86_64-linux-gnu/libpthread.so.0(0x5065390) [0x5065390]
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bigzero_p+0x42) [0x2f8e42] bignum.c:2910
/home/jtruba/rubies/ruby-trunk-clean/ruby(f_muldiv+0x45c) [0x203edc] rational.c:323
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_cfunc+0x102) [0x2b92e2] vm_insnhelper.c:1958
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_method+0xf3) [0x2c3783] vm_insnhelper.c:2448
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_exec_core+0x12c) [0x2ca44c] /home/jtruba/rubies/ruby-trunk-clean/insns.def:767
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_exec+0xb1) [0x2c0d31] vm.c:1812
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_exec_internal+0xd7) [0x12e5a7] eval.c:261
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_run_node+0x3b) [0x132c0b] eval.c:325
/home/jtruba/rubies/ruby-trunk-clean/ruby(main+0x6f) [0x12d97f] ./main.c:42

-- Other runtime information -----------------------------------------------

* Loaded script: ./poc

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so

* Process memory map:

00108000-00459000 r-xp 00000000 00:28 1098522479                         /home/jtruba/rubies/ruby-trunk-clean/ruby
00658000-0065d000 r--p 00350000 00:28 1098522479                         /home/jtruba/rubies/ruby-trunk-clean/ruby
0065d000-0065e000 rw-p 00355000 00:28 1098522479                         /home/jtruba/rubies/ruby-trunk-clean/ruby
0065e000-00670000 rw-p 00000000 00:00 0
04000000-04026000 r-xp 00000000 08:02 32113071                           /lib/x86_64-linux-gnu/ld-2.23.so
04026000-04027000 rw-p 00000000 00:00 0
04044000-0404a000 rw-p 00000000 00:00 0
0404a000-0406c000 r--s 00000000 08:02 32113073                           /lib/x86_64-linux-gnu/libpthread-2.23.so
04225000-04226000 r--p 00025000 08:02 32113071                           /lib/x86_64-linux-gnu/ld-2.23.so
04226000-04227000 rw-p 00026000 08:02 32113071                           /lib/x86_64-linux-gnu/ld-2.23.so
04227000-04228000 rw-p 00000000 00:00 0
04228000-04229000 rwxp 00000000 00:00 0
04a28000-04a29000 r-xp 00000000 08:02 49420391                           /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04a29000-04c28000 ---p 00001000 08:02 49420391                           /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c28000-04c29000 r--p 00000000 08:02 49420391                           /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c29000-04c2a000 rw-p 00001000 08:02 49420391                           /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c2a000-04c39000 r-xp 00000000 08:02 49420362                           /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c39000-04e38000 ---p 0000f000 08:02 49420362                           /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e38000-04e39000 r--p 0000e000 08:02 49420362                           /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e39000-04e3a000 rw-p 0000f000 08:02 49420362                           /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e3a000-04e53000 r-xp 00000000 08:02 32113307                           /lib/x86_64-linux-gnu/libz.so.1.2.8
04e53000-05052000 ---p 00019000 08:02 32113307                           /lib/x86_64-linux-gnu/libz.so.1.2.8
05052000-05053000 r--p 00018000 08:02 32113307                           /lib/x86_64-linux-gnu/libz.so.1.2.8
05053000-05054000 rw-p 00019000 08:02 32113307                           /lib/x86_64-linux-gnu/libz.so.1.2.8
05054000-0506c000 r-xp 00000000 08:02 32113073                           /lib/x86_64-linux-gnu/libpthread-2.23.so
0506c000-0526b000 ---p 00018000 08:02 32113073                           /lib/x86_64-linux-gnu/libpthread-2.23.so
0526b000-0526c000 r--p 00017000 08:02 32113073                           /lib/x86_64-linux-gnu/libpthread-2.23.so
0526c000-0526d000 rw-p 00018000 08:02 32113073                           /lib/x86_64-linux-gnu/libpthread-2.23.so
0526d000-05271000 rw-p 00000000 00:00 0
05271000-05278000 r-xp 00000000 08:02 32113100                           /lib/x86_64-linux-gnu/librt-2.23.so
05278000-05477000 ---p 00007000 08:02 32113100                           /lib/x86_64-linux-gnu/librt-2.23.so
05477000-05478000 r--p 00006000 08:02 32113100                           /lib/x86_64-linux-gnu/librt-2.23.so
05479000-054ac000 r-xp 00000000 08:02 49415854                           /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
054ac000-056ac000 ---p 00033000 08:02 49415854                           /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
056ac000-056ae000 r--p 00033000 08:02 49415854                           /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
056ae000-056af000 rw-p 00035000 08:02 49415854                           /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
056af000-056b0000 rw-p 00000000 00:00 0
056b0000-0572f000 r-xp 00000000 08:02 49416499                           /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
0572f000-0592e000 ---p 0007f000 08:02 49416499                           /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
0592e000-0592f000 r--p 0007e000 08:02 49416499                           /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
0592f000-05930000 rw-p 0007f000 08:02 49416499                           /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
05930000-05933000 r-xp 00000000 08:02 32113076                           /lib/x86_64-linux-gnu/libdl-2.23.so
05933000-05b32000 ---p 00003000 08:02 32113076                           /lib/x86_64-linux-gnu/libdl-2.23.so
05b32000-05b33000 r--p 00002000 08:02 32113076                           /lib/x86_64-linux-gnu/libdl-2.23.so
05b33000-05b34000 rw-p 00003000 08:02 32113076                           /lib/x86_64-linux-gnu/libdl-2.23.so
05b34000-05b3d000 r-xp 00000000 08:02 32113101                           /lib/x86_64-linux-gnu/libcrypt-2.23.so
05b3d000-05d3c000 ---p 00009000 08:02 32113101                           /lib/x86_64-linux-gnu/libcrypt-2.23.so
05d3c000-05d3d000 r--p 00008000 08:02 32113101                           /lib/x86_64-linux-gnu/libcrypt-2.23.so
05d3d000-05d3e000 rw-p 00009000 08:02 32113101                           /lib/x86_64-linux-gnu/libcrypt-2.23.so
05d3e000-05d6c000 rw-p 00000000 00:00 0
05d6c000-05e74000 r-xp 00000000 08:02 32112668                           /lib/x86_64-linux-gnu/libm-2.23.so
05e74000-06073000 ---p 00108000 08:02 32112668                           /lib/x86_64-linux-gnu/libm-2.23.so
06073000-06074000 r--p 00107000 08:02 32112668                           /lib/x86_64-linux-gnu/libm-2.23.so
06074000-06075000 rw-p 00108000 08:02 32112668                           /lib/x86_64-linux-gnu/libm-2.23.so
06075000-06235000 r-xp 00000000 08:02 32113074                           /lib/x86_64-linux-gnu/libc-2.23.so
06235000-06435000 ---p 001c0000 08:02 32113074                           /lib/x86_64-linux-gnu/libc-2.23.so
06435000-06439000 r--p 001c0000 08:02 32113074                           /lib/x86_64-linux-gnu/libc-2.23.so
06439000-0643b000 rw-p 001c4000 08:02 32113074                           /lib/x86_64-linux-gnu/libc-2.23.so
0643b000-0643f000 rw-p 00000000 00:00 0
0643f000-06717000 r--p 00000000 08:02 49416224                           /usr/lib/locale/locale-archive
06800000-07000000 rw-p 00000000 00:00 0
07000000-07016000 r-xp 00000000 08:02 32113161                           /lib/x86_64-linux-gnu/libgcc_s.so.1
07016000-07215000 ---p 00016000 08:02 32113161                           /lib/x86_64-linux-gnu/libgcc_s.so.1
07215000-07216000 rw-p 00015000 08:02 32113161                           /lib/x86_64-linux-gnu/libgcc_s.so.1
07216000-08383000 r--s 00000000 00:28 1098522479                         /home/jtruba/rubies/ruby-trunk-clean/ruby
08383000-0854c000 r--s 00000000 08:02 32113074                           /lib/x86_64-linux-gnu/libc-2.23.so
38000000-3821f000 r-xp 00000000 08:02 49420448                           /usr/lib/valgrind/memcheck-amd64-linux
3841f000-38422000 rw-p 0021f000 08:02 49420448                           /usr/lib/valgrind/memcheck-amd64-linux
38422000-395d8000 rw-p 00000000 00:00 0
802001000-802acc000 rwxp 00000000 00:00 0
802acc000-802adc000 rwxp 00000000 00:00 0
802adc000-802af8000 rwxp 00000000 00:00 0
802af8000-802b24000 rwxp 00000000 00:00 0
802b8c000-802ba4000 rwxp 00000000 00:00 0
802ba8000-802bac000 rwxp 00000000 00:00 0
802bac000-802bae000 ---p 00000000 00:00 0
802bae000-802cae000 rwxp 00000000 00:00 0
802cae000-802cb0000 ---p 00000000 00:00 0
802cb0000-802cb1000 rw-s 00000000 08:02 32246066                         /tmp/vgdb-pipe-shared-mem-vgdb-18033-by-jtruba-on-???
802cbd000-802edd000 rwxp 00000000 00:00 0
802edd000-802f25000 rwxp 00000000 00:00 0
802fb2000-80349e000 rwxp 00000000 00:00 0
80359e000-80369e000 rwxp 00000000 00:00 0
80379b000-805ac6000 rwxp 00000000 00:00 0
805bc6000-8060c6000 rwxp 00000000 00:00 0
8063bb000-8065df000 rwxp 00000000 00:00 0
ffe802000-fff001000 rw-p 00000000 00:00 0
7fffc03f2000-7fffc0413000 rw-p 00000000 00:00 0                          [stack]
7fffc04e0000-7fffc04e3000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: https://www.ruby-lang.org/bugreport.html

==18033==
==18033== Process terminating with default action of signal 6 (SIGABRT)
==18033==    at 0x60AA428: raise (raise.c:54)
==18033==    by 0x60AC029: abort (abort.c:89)
==18033==    by 0x3660F0: die (error.c:582)
==18033==    by 0x3660F0: rb_bug_context (error.c:612)
==18033==    by 0x242C61: sigsegv (signal.c:998)
==18033==    by 0x506538F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==18033==    by 0x2F8E41: rb_bigzero_p (bignum.c:2910)
==18033==
==18033== HEAP SUMMARY:
==18033==     in use at exit: 0 bytes in 0 blocks
==18033==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==18033==
==18033== All heap blocks were freed -- no leaks are possible
==18033==
==18033== For counts of detected and suppressed errors, rerun with: -v
==18033== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aborted (core dumped)
~~~

This was discovered using afl-fuzz.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>