Issue #14099 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Feedback

I tried this example with the current master branch using OpenBSD's use-after-free checking (with Clang 7), and it raised a SystemStackError (as expected due to the infinite recursion), but it didn't crash.  Can you replicate the use-after-free issue with the current master branch?

----------------------------------------
Bug #14099: heap-use-after-free (WRITE of size 8) in rb_obj_write (include/ruby/ruby.h:1484)
https://bugs.ruby-lang.org/issues/14099#change-78818

* Author: geeknik (Brian Carpenter)
* Status: Feedback
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
The following script triggers a heap-use-after-free in 3527c86. I compiled it with Clang 6.0.0-trunk and -fsanitize=address. Note, on my Ubuntu machine, this bug is only triggered with the miniruby binary.

~~~ ruby
def a
    yield
    rescue *nil
    ensure
    x y = a { return }
end

a { foo a }

~~~


~~~
==28587==ERROR: AddressSanitizer: heap-use-after-free on address 0x632000028ff8 at pc 0x557a70983d4d bp 0x7ffd95f19720 sp 0x7ffd95f19718
WRITE of size 8 at 0x632000028ff8 thread T0
    #0 0x557a70983d4c in rb_obj_write /root/ruby/./include/ruby/ruby.h:1484:11
    #1 0x557a70983d4c in rb_ary_push /root/ruby/array.c:929
    #2 0x557a715d4b7d in backtrace_collect /root/ruby/vm_backtrace.c:542:2
    #3 0x557a715c8df7 in backtrace_to_str_ary /root/ruby/vm_backtrace.c:571:9
    #4 0x557a715c8983 in rb_backtrace_to_str_ary /root/ruby/vm_backtrace.c:583:15
    #5 0x557a70bfe68a in exc_backtrace /root/ruby/error.c:1005:8
    #6 0x557a70bfe68a in rb_get_backtrace /root/ruby/error.c:1022
    #7 0x557a70c17f84 in rb_ec_error_print /root/ruby/./eval_error.c:179:10
    #8 0x557a70c1d3cd in error_handle /root/ruby/./eval_error.c
    #9 0x557a70c1fdaa in ruby_cleanup /root/ruby/eval.c:198:13
    #10 0x557a7097cb12 in main /root/ruby/./main.c:42:9
    #11 0x7f36e44c63f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #12 0x557a708ad6d9 in _start (/root/ruby/miniruby+0x5206d9)

0x632000028ff8 is located 67576 bytes inside of 89672-byte region [0x632000018800,0x63200002e648)
freed by thread T0 here:
    #0 0x557a70950a52 in __interceptor_free (/root/ruby/miniruby+0x5c3a52)
    #1 0x557a70c725f9 in objspace_xfree /root/ruby/gc.c:7983:5
    #2 0x557a70c725f9 in ruby_sized_xfree /root/ruby/gc.c:8078
    #3 0x557a70c725f9 in ruby_xfree /root/ruby/gc.c:8085
    #4 0x557a70cca816 in obj_free /root/ruby/gc.c:2237:2
    #5 0x557a70cc3670 in gc_page_sweep /root/ruby/gc.c:3532:10
    #6 0x557a70cc3670 in gc_sweep_step /root/ruby/gc.c:3701
    #7 0x557a70cb80ef in gc_sweep_continue /root/ruby/gc.c:3768:5
    #8 0x557a70cb80ef in heap_prepare /root/ruby/gc.c:1742
    #9 0x557a70cb80ef in heap_get_freeobj_from_next_freepage /root/ruby/gc.c:1765
    #10 0x557a70cb80ef in heap_get_freeobj /root/ruby/gc.c:1799
    #11 0x557a70cb80ef in newobj_slowpath /root/ruby/gc.c:1926
    #12 0x557a70cb749e in newobj_slowpath_wb_protected /root/ruby/gc.c:1938:12
    #13 0x557a712b8ba8 in str_alloc /root/ruby/string.c:691:5
    #14 0x557a712b8ba8 in rb_str_buf_new /root/ruby/string.c:1284
    #15 0x557a71266912 in rb_enc_vsprintf /root/ruby/sprintf.c:1409:14
    #16 0x557a71265d77 in rb_enc_sprintf /root/ruby/sprintf.c:1439:14
    #17 0x557a715d5dba in location_format /root/ruby/vm_backtrace.c:295:15
    #18 0x557a715d5dba in location_to_str /root/ruby/vm_backtrace.c:344
    #19 0x557a715d4b71 in backtrace_collect /root/ruby/vm_backtrace.c:542:21
    #20 0x557a715c8df7 in backtrace_to_str_ary /root/ruby/vm_backtrace.c:571:9
    #21 0x557a715c8983 in rb_backtrace_to_str_ary /root/ruby/vm_backtrace.c:583:15
    #22 0x557a70bfe68a in exc_backtrace /root/ruby/error.c:1005:8
    #23 0x557a70bfe68a in rb_get_backtrace /root/ruby/error.c:1022
    #24 0x557a70c17f84 in rb_ec_error_print /root/ruby/./eval_error.c:179:10
    #25 0x557a70c1d3cd in error_handle /root/ruby/./eval_error.c
    #26 0x557a70c1fdaa in ruby_cleanup /root/ruby/eval.c:198:13
    #27 0x557a7097cb12 in main /root/ruby/./main.c:42:9
    #28 0x7f36e44c63f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

previously allocated by thread T0 here:
    #0 0x557a709511a2 in realloc (/root/ruby/miniruby+0x5c41a2)
    #1 0x557a70ca44b4 in objspace_xrealloc /root/ruby/gc.c:7961:5
    #2 0x557a70986e50 in ary_resize_capa /root/ruby/array.c:219:6
    #3 0x557a70984750 in ary_ensure_room_for_push /root/ruby/array.c
    #4 0x557a709839a7 in rb_ary_push /root/ruby/array.c:928:24
    #5 0x557a715d4b7d in backtrace_collect /root/ruby/vm_backtrace.c:542:2
    #6 0x557a715c8df7 in backtrace_to_str_ary /root/ruby/vm_backtrace.c:571:9
    #7 0x557a715c8983 in rb_backtrace_to_str_ary /root/ruby/vm_backtrace.c:583:15
    #8 0x557a70bfe68a in exc_backtrace /root/ruby/error.c:1005:8
    #9 0x557a70bfe68a in rb_get_backtrace /root/ruby/error.c:1022
    #10 0x557a70c17f84 in rb_ec_error_print /root/ruby/./eval_error.c:179:10
    #11 0x557a70c1d3cd in error_handle /root/ruby/./eval_error.c
    #12 0x557a70c1fdaa in ruby_cleanup /root/ruby/eval.c:198:13
    #13 0x557a7097cb12 in main /root/ruby/./main.c:42:9
    #14 0x7f36e44c63f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-use-after-free /root/ruby/./include/ruby/ruby.h:1484:11 in rb_obj_write





-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>