Issue #15190 has been updated by usa (Usaku NAKAMURA).

Backport changed from 2.3: REQUIRED, 2.4: REQUIRED, 2.5: DONE to 2.3: REQUIRED, 2.4: DONE, 2.5: DONE

ruby_2_4 r65113 merged revision(s) 64900.

----------------------------------------
Bug #15190: Null pointer dereference in process_options -- OOB read (size of 8 bytes)
https://bugs.ruby-lang.org/issues/15190#change-74474

* Author: bannable (Joe Truba)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]
* Backport: 2.3: REQUIRED, 2.4: DONE, 2.5: DONE
----------------------------------------
When passed "#!" with no newline as a script, rb_parser_compile_string and load_file can return null, causing process_options to later perform a null pointer dereference.

This happens in 2.5 and trunk, but not 2.3 or 2.4.

Reproducer:
~~~
jtruba@dev118:~/ruby-crashes$ echo -n '#!' > reproducer
jtruba@dev118:~/ruby-crashes$ xxd reproducer
00000000: 2321                                     #!
jtruba@dev118:~/ruby-crashes$ ruby --disable=gems - < reproducer
~~~

Valgrind report:
~~~
==44458== Memcheck, a memory error detector
==44458== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==44458== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==44458== Command: /home/jtruba/rubies/ruby-trunk-clean/ruby --disable=gems -
==44458== Parent PID: 5757
==44458==
==44458== Invalid read of size 8
==44458==    at 0x240F91: process_options (ruby.c:1784)
==44458==    by 0x241DE6: ruby_process_options (ruby.c:2336)
==44458==    by 0x132639: ruby_options (eval.c:118)
==44458==    by 0x12D916: main (main.c:42)
==44458==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==44458==
==44458==
==44458== Process terminating with default action of signal 6 (SIGABRT)
==44458==    at 0x5E73428: raise (raise.c:54)
==44458==    by 0x5E75029: abort (abort.c:89)
==44458==    by 0x365BD0: die (error.c:582)
==44458==    by 0x365BD0: rb_bug_context (error.c:612)
==44458==    by 0x242771: sigsegv (signal.c:998)
==44458==    by 0x506538F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==44458==    by 0x240F90: process_options (ruby.c:1782)
==44458==    by 0x64C735F: ???
==44458==    by 0x636423F: ???
==44458==
==44458== HEAP SUMMARY:
==44458==     in use at exit: 2,135,304 bytes in 6,444 blocks
==44458==   total heap usage: 7,054 allocs, 610 frees, 2,350,194 bytes allocated
==44458==
==44458== LEAK SUMMARY:
==44458==    definitely lost: 8,240 bytes in 2 blocks
==44458==    indirectly lost: 144 bytes in 3 blocks
==44458==      possibly lost: 1,863,148 bytes in 6,224 blocks
==44458==    still reachable: 263,772 bytes in 215 blocks
==44458==         suppressed: 0 bytes in 0 blocks
==44458== Rerun with --leak-check=full to see details of leaked memory
==44458==
==44458== For counts of detected and suppressed errors, rerun with: -v
==44458== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
~~~

Output:
~~~
-: [BUG] Segmentation fault at 0x0000000000000010
ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:000f10 (none) [FINISH]


-- Machine register context ------------------------------------------------
 RIP: 0x00005574f7b28f91 RBP: 0x00005574f980a0f0 RSP: 0x00007ffe83d45ee0
 RAX: 0x0000000000000000 RBX: 0x00007ffe83d46fa0 RCX: 0x0000000000000000
 RDX: 0x0000000000000000 RDI: 0x0000000000000000 RSI: 0x0000000000000000
  R8: 0x0000000000000000  R9: 0x00005574f7c97392 R10: 0x00005574f9772030
 R11: 0x0000000000000246 R12: 0x0000000000000000 R13: 0x0000000000000000
 R14: 0x00005574f970af20 R15: 0x00007ffe83d47010 EFL: 0x0000000000010202

-- C level backtrace information -------------------------------------------
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_bugreport+0x53e) [0x5574f7c59bae] vm_dump.c:715
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bug_context+0xe4) [0x5574f7c4dbc4] error.c:610
/home/jtruba/rubies/ruby-trunk-clean/ruby(sigsegv+0x42) [0x5574f7b2a772] signal.c:998
/lib/x86_64-linux-gnu/libpthread.so.0(0x7f73638c3390) [0x7f73638c3390]
/home/jtruba/rubies/ruby-trunk-clean/ruby(process_options+0xb11) [0x5574f7b28f91] ruby.c:1782
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_process_options+0x147) [0x5574f7b29de7] ruby.c:2336
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_options+0xca) [0x5574f7a1a63a] eval.c:118
/home/jtruba/rubies/ruby-trunk-clean/ruby(main+0x67) [0x5574f7a15917] ./main.c:42

-- Other runtime information -----------------------------------------------

* Loaded script: -

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so

* Process memory map:

5574f79f0000-5574f7d41000 r-xp 00000000 00:28 1097908882                 /home/jtruba/rubies/ruby-trunk-clean/ruby
5574f7f40000-5574f7f45000 r--p 00350000 00:28 1097908882                 /home/jtruba/rubies/ruby-trunk-clean/ruby
5574f7f45000-5574f7f46000 rw-p 00355000 00:28 1097908882                 /home/jtruba/rubies/ruby-trunk-clean/ruby
5574f7f46000-5574f7f58000 rw-p 00000000 00:00 0
5574f970a000-5574f972b000 rw-p 00000000 00:00 0                          [heap]
5574f972b000-5574f9835000 rw-p 00000000 00:00 0                          [heap]
7f73610fa000-7f73612c3000 r--s 00000000 08:02 32113074                   /lib/x86_64-linux-gnu/libc-2.23.so
7f73612c3000-7f736242d000 r--s 00000000 00:28 1097908882                 /home/jtruba/rubies/ruby-trunk-clean/ruby
7f736242d000-7f7362443000 r-xp 00000000 08:02 32113161                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7362443000-7f7362642000 ---p 00016000 08:02 32113161                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7362642000-7f7362643000 rw-p 00015000 08:02 32113161                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7362643000-7f736291b000 r--p 00000000 08:02 49416224                   /usr/lib/locale/locale-archive
7f736291b000-7f7362adb000 r-xp 00000000 08:02 32113074                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7362adb000-7f7362cdb000 ---p 001c0000 08:02 32113074                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7362cdb000-7f7362cdf000 r--p 001c0000 08:02 32113074                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7362cdf000-7f7362ce1000 rw-p 001c4000 08:02 32113074                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7362ce1000-7f7362ce5000 rw-p 00000000 00:00 0
7f7362ce5000-7f7362ded000 r-xp 00000000 08:02 32112668                   /lib/x86_64-linux-gnu/libm-2.23.so
7f7362ded000-7f7362fec000 ---p 00108000 08:02 32112668                   /lib/x86_64-linux-gnu/libm-2.23.so
7f7362fec000-7f7362fed000 r--p 00107000 08:02 32112668                   /lib/x86_64-linux-gnu/libm-2.23.so
7f7362fed000-7f7362fee000 rw-p 00108000 08:02 32112668                   /lib/x86_64-linux-gnu/libm-2.23.so
7f7362fee000-7f7362ff7000 r-xp 00000000 08:02 32113101                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f7362ff7000-7f73631f6000 ---p 00009000 08:02 32113101                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f73631f6000-7f73631f7000 r--p 00008000 08:02 32113101                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f73631f7000-7f73631f8000 rw-p 00009000 08:02 32113101                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7f73631f8000-7f7363226000 rw-p 00000000 00:00 0
7f7363226000-7f7363229000 r-xp 00000000 08:02 32113076                   /lib/x86_64-linux-gnu/libdl-2.23.so
7f7363229000-7f7363428000 ---p 00003000 08:02 32113076                   /lib/x86_64-linux-gnu/libdl-2.23.so
7f7363428000-7f7363429000 r--p 00002000 08:02 32113076                   /lib/x86_64-linux-gnu/libdl-2.23.so
7f7363429000-7f736342a000 rw-p 00003000 08:02 32113076                   /lib/x86_64-linux-gnu/libdl-2.23.so
7f736342a000-7f73634a9000 r-xp 00000000 08:02 49416499                   /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7f73634a9000-7f73636a8000 ---p 0007f000 08:02 49416499                   /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7f73636a8000-7f73636a9000 r--p 0007e000 08:02 49416499                   /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7f73636a9000-7f73636aa000 rw-p 0007f000 08:02 49416499                   /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7f73636aa000-7f73636b1000 r-xp 00000000 08:02 32113100                   /lib/x86_64-linux-gnu/librt-2.23.so
7f73636b1000-7f73638b0000 ---p 00007000 08:02 32113100                   /lib/x86_64-linux-gnu/librt-2.23.so
7f73638b0000-7f73638b1000 r--p 00006000 08:02 32113100                   /lib/x86_64-linux-gnu/librt-2.23.so
7f73638b1000-7f73638b2000 rw-p 00007000 08:02 32113100                   /lib/x86_64-linux-gnu/librt-2.23.so
7f73638b2000-7f73638ca000 r-xp 00000000 08:02 32113073                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7f73638ca000-7f7363ac9000 ---p 00018000 08:02 32113073                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7363ac9000-7f7363aca000 r--p 00017000 08:02 32113073                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7363aca000-7f7363acb000 rw-p 00018000 08:02 32113073                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7363acb000-7f7363acf000 rw-p 00000000 00:00 0
7f7363acf000-7f7363ae8000 r-xp 00000000 08:02 32113307                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7f7363ae8000-7f7363ce7000 ---p 00019000 08:02 32113307                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7f7363ce7000-7f7363ce8000 r--p 00018000 08:02 32113307                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7f7363ce8000-7f7363ce9000 rw-p 00019000 08:02 32113307                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7f7363ce9000-7f7363d0f000 r-xp 00000000 08:02 32113071                   /lib/x86_64-linux-gnu/ld-2.23.so
7f7363dc8000-7f7363dea000 r--s 00000000 08:02 32113073                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7363dea000-7f7363eeb000 rw-p 00000000 00:00 0
7f7363eeb000-7f7363ef1000 rw-p 00000000 00:00 0
7f7363f0e000-7f7363f0f000 r--p 00025000 08:02 32113071                   /lib/x86_64-linux-gnu/ld-2.23.so
7f7363f0f000-7f7363f10000 rw-p 00026000 08:02 32113071                   /lib/x86_64-linux-gnu/ld-2.23.so
7f7363f10000-7f7363f11000 rw-p 00000000 00:00 0
7ffe8354a000-7ffe83d49000 rw-p 00000000 00:00 0                          [stack]
7ffe83d5f000-7ffe83d62000 r--p 00000000 00:00 0                          [vvar]
7ffe83d62000-7ffe83d64000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: https://www.ruby-lang.org/bugreport.html
~~~



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>