Issue #15245 has been reported by bannable (Joe Truba).

----------------------------------------
Bug #15245: Heap buffer overflow (write of size 8) in vm.inc
https://bugs.ruby-lang.org/issues/15245

* Author: bannable (Joe Truba)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Reproducer:
~~~
$ xxd repro1_2
00000000: 2557 0030 007c 7c30 7768 696c 650a 30    %W.0.||0while.0
$ 
~~~

AddressSanitizer report:
~~~
=================================================================
==43391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000d13fd8 at pc 0x55713d1d5cab bp 0x7ffe42230070 sp 0x7ffe42230068
WRITE of size 8 at 0x62d000d13fd8 thread T0
    #0 0x55713d1d5caa in vm_exec_core /home/jtruba/rubies/ruby-trunk-asan/vm.inc:797:13
    #1 0x55713d213dd4 in rb_vm_exec /home/jtruba/rubies/ruby-trunk-asan/vm.c
    #2 0x55713cc28286 in ruby_exec_internal /home/jtruba/rubies/ruby-trunk-asan/eval.c:261:2
    #3 0x55713cc28286 in ruby_exec_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:325
    #4 0x55713cc27ca5 in ruby_run_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:317:25
    #5 0x55713cc1e960 in main /home/jtruba/rubies/ruby-trunk-asan/./main.c:42:9
    #6 0x7fdd2f340b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #7 0x55713cb4873b in _start (/home/jtruba/rubies/ruby-trunk-asan/ruby+0x13b73b)

0x62d000d13fd8 is located 0 bytes to the right of 16344-byte region [0x62d000d10000,0x62d000d13fd8)
allocated by thread T0 here:
    #0 0x55713cbf07fe in __interceptor_posix_memalign /home/jtruba/to_install/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:167:3
    #1 0x55713cc9bc7d in aligned_malloc /home/jtruba/rubies/ruby-trunk-asan/gc.c:7806:9
    #2 0x55713cc9bc7d in heap_page_allocate /home/jtruba/rubies/ruby-trunk-asan/gc.c:1527
    #3 0x55713cc9bc7d in heap_page_create /home/jtruba/rubies/ruby-trunk-asan/gc.c:1628
    #4 0x55713cc9bc7d in heap_assign_page /home/jtruba/rubies/ruby-trunk-asan/gc.c:1648
    #5 0x55713cc8da80 in heap_increment /home/jtruba/rubies/ruby-trunk-asan/gc.c:1729:2
    #6 0x55713cc8da80 in heap_prepare /home/jtruba/rubies/ruby-trunk-asan/gc.c:1748
    #7 0x55713cc8da80 in heap_get_freeobj_from_next_freepage /home/jtruba/rubies/ruby-trunk-asan/gc.c:1761
    #8 0x55713cc8da80 in heap_get_freeobj /home/jtruba/rubies/ruby-trunk-asan/gc.c:1795
    #9 0x55713cc8da80 in newobj_slowpath /home/jtruba/rubies/ruby-trunk-asan/gc.c:1925
    #10 0x55713cc8c755 in newobj_slowpath_wb_protected /home/jtruba/rubies/ruby-trunk-asan/gc.c:1937:12

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jtruba/rubies/ruby-trunk-asan/vm.inc:797:13 in vm_exec_core
Shadow bytes around the buggy address:
  0x0c5a8019a7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a8019a7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a8019a7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a8019a7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a8019a7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a8019a7f0: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c5a8019a800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a8019a810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a8019a820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a8019a830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a8019a840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==43391==ABORTING
~~~

Crash dump:
~~~
jtruba@dev118:~/rubies/ruby-trunk$ ./ruby ../repro1_2                                                                                                                                                                                                                                                                                                                                                                              [63/3534]
../repro1_2:1: [BUG] gc_sweep(): unknown data type 0x18(0x00007f9663544038) 0x7f966355abb8
ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0002 p:0004 s:-1458793 e:000005 EVAL   ../repro1_2:1 [FINISH]
c:0001 p:0000 s:0003 E:001cf0 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
../repro1_2:1:in `<main>'

-- C level backtrace information -------------------------------------------
./ruby(0x55d8d3e4f7c0) [0x55d8d3e4f7c0]
/home/jtruba/rubies/ruby-trunk/ruby(rb_vm_bugreport) vm_dump.c:985
/home/jtruba/rubies/ruby-trunk/ruby(bug_report_end+0x0) [0x55d8d3e2a2cc] error.c:27072
/home/jtruba/rubies/ruby-trunk/ruby(rb_bug) error.c:595
./ruby(0x55d8d39a8459) [0x55d8d39a8459]
./ruby(0x55d8d39a6242) [0x55d8d39a6242]
./ruby(0x55d8d39a3b6f) [0x55d8d39a3b6f]
./ruby(0x55d8d39a3257) [0x55d8d39a3257]
/home/jtruba/rubies/ruby-trunk/ruby(ibf_dump_write+0x4e) [0x55d8d3987503] gc.c:41745
/home/jtruba/rubies/ruby-trunk/ruby(newobj_of) compile.c:9455
/home/jtruba/rubies/ruby-trunk/ruby(rb_wb_protected_newobj_of) gc.c:1990
./ruby(rb_str_resurrect+0xd) [0x55d8d3bcad54]
/home/jtruba/rubies/ruby-trunk/ruby(rb_str_resurrect) string.c:1499
./ruby(0x55d8d3ca7f68) [0x55d8d3ca7f68]
./ruby(rb_vm_exec+0x1884) [0x55d8d3cc8504]
./ruby(rb_iseq_eval_main+0x536) [0x55d8d3cc8f76]
./ruby(ruby_exec_node+0x46) [0x55d8d3969499]
/home/jtruba/rubies/ruby-trunk/ruby(rb_check_lockedtmp) compile.c:5878
/home/jtruba/rubies/ruby-trunk/ruby(str_modifiable) string.c:2027
/home/jtruba/rubies/ruby-trunk/ruby(str_independent) string.c:2045
/home/jtruba/rubies/ruby-trunk/ruby(str_modify_keep_cr) string.c:2114
/home/jtruba/rubies/ruby-trunk/ruby(parser_peek_variable_name) string.c:5664
/home/jtruba/rubies/ruby-trunk/ruby(parse_string) parse.y:5927
/home/jtruba/rubies/ruby-trunk/ruby(io_fd_check_closed) parse.y:7603
/home/jtruba/rubies/ruby-trunk/ruby(rb_io_check_closed) io.c:647
/home/jtruba/rubies/ruby-trunk/ruby(io_fd_check_closed) io.c:6100
/home/jtruba/rubies/ruby-trunk/ruby(rb_io_check_closed) io.c:647
/home/jtruba/rubies/ruby-trunk/ruby(io_strip_bom) io.c:6034
/home/jtruba/rubies/ruby-trunk/ruby(ruby_exec_node) io.c:6097
./ruby(ruby_run_node+0x3c) [0x55d8d39691e8]
/home/jtruba/rubies/ruby-trunk/ruby(compile_data_alloc_adjust) compile.c:882
/home/jtruba/rubies/ruby-trunk/ruby(new_adjust_body) compile.c:1116
/home/jtruba/rubies/ruby-trunk/ruby(compile_break) compile.c:5375
/home/jtruba/rubies/ruby-trunk/ruby(RUBY_VM_CONTROL_FRAME_STACK_OVERFLOW_P) compile.c:5898
/home/jtruba/rubies/ruby-trunk/ruby(rb_source_location) vm.c:519
/home/jtruba/rubies/ruby-trunk/ruby(parse_ident) vm.c:1310
/home/jtruba/rubies/ruby-trunk/ruby(ruby_run_node) parse.y:8255
/home/jtruba/rubies/ruby-trunk/ruby(rb_array_len+0x3) [0x55d8d3963e18] ./main.c:1087
/home/jtruba/rubies/ruby-trunk/ruby(ary_tmp_hash_new) array.c:4132
/home/jtruba/rubies/ruby-trunk/ruby(ary_make_hash) array.c:4142
/home/jtruba/rubies/ruby-trunk/ruby(str_independent) array.c:4602
/home/jtruba/rubies/ruby-trunk/ruby(main) string.c:5422
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f9664b08b45] libc-start.c:287
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0
./ruby(0x55d8d3963c79) [0x55d8d3963c79]
/home/jtruba/rubies/ruby-trunk/ruby(compile_data_alloc_insn) compile.c:870
/home/jtruba/rubies/ruby-trunk/ruby(new_insn_core) compile.c:1129
/home/jtruba/rubies/ruby-trunk/ruby(new_insn_body) compile.c:1159
/home/jtruba/rubies/ruby-trunk/ruby(vm_push_frame) compile.c:6568
/home/jtruba/rubies/ruby-trunk/ruby(vm_set_eval_stack) vm.c:478

-- Other runtime information -----------------------------------------------

* Loaded script: ../repro1_2

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
    5 /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so

* Process memory map:

55d8d393b000-55d8d3f40000 r-xp 00000000 103:00 78003143                  /home/jtruba/rubies/ruby-trunk/ruby
55d8d413f000-55d8d4145000 rw-p 00604000 103:00 78003143                  /home/jtruba/rubies/ruby-trunk/ruby
55d8d4145000-55d8d4167000 rw-p 00000000 00:00 0
7f9662242000-7f96631ea000 r--s 00000000 103:00 78003143                  /home/jtruba/rubies/ruby-trunk/ruby
7f96631ea000-7f9663200000 r-xp 00000000 103:03 786893                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f9663200000-7f96633ff000 ---p 00016000 103:03 786893                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f96633ff000-7f9663400000 rw-p 00015000 103:03 786893                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f9663400000-7f9663c00000 rw-p 00000000 00:00 0
7f9663c54000-7f9663dfd000 r--s 00000000 103:03 786457                    /lib/x86_64-linux-gnu/libc-2.19.so
7f9663dfd000-7f9663dff000 r-xp 00000000 103:00 80759003                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
7f9663dff000-7f9663fff000 ---p 00002000 103:00 80759003                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
7f9663fff000-7f9664000000 rw-p 00002000 103:00 80759003                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/trans/transdb.so
7f9664000000-7f9664800000 rw-p 00000000 00:00 0
7f96648e5000-7f96648e7000 r-xp 00000000 103:00 80759038                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
7f96648e7000-7f9664ae6000 ---p 00002000 103:00 80759038                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
7f9664ae6000-7f9664ae7000 rw-p 00001000 103:00 80759038                  /home/jtruba/.rubies/ruby-trunk/lib/ruby/2.6.0/x86_64-linux/enc/encdb.so
7f9664ae7000-7f9664c88000 r-xp 00000000 103:03 786457                    /lib/x86_64-linux-gnu/libc-2.19.so
7f9664c88000-7f9664e88000 ---p 001a1000 103:03 786457                    /lib/x86_64-linux-gnu/libc-2.19.so
7f9664e88000-7f9664e8c000 r--p 001a1000 103:03 786457                    /lib/x86_64-linux-gnu/libc-2.19.so
7f9664e8c000-7f9664e8e000 rw-p 001a5000 103:03 786457                    /lib/x86_64-linux-gnu/libc-2.19.so
7f9664e8e000-7f9664e92000 rw-p 00000000 00:00 0
7f9664e92000-7f9664f92000 r-xp 00000000 103:03 786463                    /lib/x86_64-linux-gnu/libm-2.19.so
7f9664f92000-7f9665191000 ---p 00100000 103:03 786463                    /lib/x86_64-linux-gnu/libm-2.19.so
7f9665191000-7f9665192000 r--p 000ff000 103:03 786463                    /lib/x86_64-linux-gnu/libm-2.19.so
7f9665192000-7f9665193000 rw-p 00100000 103:03 786463                    /lib/x86_64-linux-gnu/libm-2.19.so
7f9665193000-7f966519b000 r-xp 00000000 103:03 786461                    /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f966519b000-7f966539a000 ---p 00008000 103:03 786461                    /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f966539a000-7f966539b000 r--p 00007000 103:03 786461                    /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f966539b000-7f966539c000 rw-p 00008000 103:03 786461                    /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f966539c000-7f96653ca000 rw-p 00000000 00:00 0
7f96653ca000-7f96653cd000 r-xp 00000000 103:03 786462                    /lib/x86_64-linux-gnu/libdl-2.19.so
7f96653cd000-7f96655cc000 ---p 00003000 103:03 786462                    /lib/x86_64-linux-gnu/libdl-2.19.so
7f96655cc000-7f96655cd000 r--p 00002000 103:03 786462                    /lib/x86_64-linux-gnu/libdl-2.19.so
7f96655cd000-7f96655ce000 rw-p 00003000 103:03 786462                    /lib/x86_64-linux-gnu/libdl-2.19.so
7f96655ce000-7f966564f000 r-xp 00000000 103:03 266462                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
7f966564f000-7f966584f000 ---p 00081000 103:03 266462                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
7f966584f000-7f9665850000 r--p 00081000 103:03 266462                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
7f9665850000-7f9665851000 rw-p 00082000 103:03 266462                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0
7f9665851000-7f9665885000 r-xp 00000000 103:03 279726                    /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
7f9665885000-7f9665a85000 ---p 00034000 103:03 279726                    /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
7f9665a85000-7f9665a87000 r--p 00034000 103:03 279726                    /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
7f9665a87000-7f9665a88000 rw-p 00036000 103:03 279726                    /usr/lib/x86_64-linux-gnu/libjemalloc.so.1
7f9665a88000-7f9665a89000 rw-p 00000000 00:00 0
7f9665a89000-7f9665a90000 r-xp 00000000 103:03 786474                    /lib/x86_64-linux-gnu/librt-2.19.so
7f9665a90000-7f9665c8f000 ---p 00007000 103:03 786474                    /lib/x86_64-linux-gnu/librt-2.19.so
7f9665c8f000-7f9665c90000 r--p 00006000 103:03 786474                    /lib/x86_64-linux-gnu/librt-2.19.so
7f9665c90000-7f9665c91000 rw-p 00007000 103:03 786474                    /lib/x86_64-linux-gnu/librt-2.19.so
7f9665c91000-7f9665ca9000 r-xp 00000000 103:03 786451                    /lib/x86_64-linux-gnu/libpthread-2.19.so
7f9665ca9000-7f9665ea8000 ---p 00018000 103:03 786451                    /lib/x86_64-linux-gnu/libpthread-2.19.so
7f9665ea8000-7f9665ea9000 r--p 00017000 103:03 786451                    /lib/x86_64-linux-gnu/libpthread-2.19.so
7f9665ea9000-7f9665eaa000 rw-p 00018000 103:03 786451                    /lib/x86_64-linux-gnu/libpthread-2.19.so
7f9665eaa000-7f9665eae000 rw-p 00000000 00:00 0
7f9665eae000-7f9665ecf000 r-xp 00000000 103:03 786452                    /lib/x86_64-linux-gnu/ld-2.19.so
7f9665f2c000-7f96660b5000 r--p 00000000 103:03 283083                    /usr/lib/locale/locale-archive
7f96660b5000-7f96660bb000 rw-p 00000000 00:00 0
7f96660cb000-7f96660cc000 rw-p 00000000 00:00 0
7f96660cc000-7f96660ce000 rw-p 00000000 00:00 0
7f96660ce000-7f96660cf000 r--p 00020000 103:03 786452                    /lib/x86_64-linux-gnu/ld-2.19.so
7f96660cf000-7f96660d0000 rw-p 00021000 103:03 786452                    /lib/x86_64-linux-gnu/ld-2.19.so
7f96660d0000-7f96660d1000 rw-p 00000000 00:00 0
7fff921b5000-7fff929b4000 rw-p 00000000 00:00 0                          [stack]
7fff929f4000-7fff929f6000 r--p 00000000 00:00 0                          [vvar]
7fff929f6000-7fff929f8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: https://www.ruby-lang.org/bugreport.html

Aborted
~~~



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>