Issue #16151 has been updated by alanwu (Alan Wu).


My reading is that `STR_NOFREE` exists solely for strings that point to C string literals. It exists to prevent `free("literal")` which is UB.
There are checks for `STR_NOFREE` everywhere buffers are freed in case a static string shows up.
For heap allocated buffers, someone will eventually have to free them, so setting `STR_NOFREE` on strings with heap buffers surely leads to a leak.

The only way to find out whether a string is a shared root is by traversing the entire heap. This is problematic for the call
to `str_replace_shared_without_enc` in `rb_fstring` as it doesn't have enough information to decide whether to free a string or not. Not freeing anything,
like we did before #15916, leads to leaks. Freeing with limited information leads to use-after-free situations.

The semantics for `STR_IS_SHARED_M` is a bit weird to me too. I think it's a mechanism for detecting whether it's safe to free a shared root.
When `rb_str_tmp_frozen_acquire` returns a shared root, the root has `STR_IS_SHARED_M` set in all situations where it's unsafe for `rb_str_tmp_frozen_release`
to recycle the root. It's not quite "a root that has multiple dependants" since you could have a root that only has one dependant, but has
`STR_IS_SHARED_M` set anyways. This could happen through this code path: https://github.com/ruby/ruby/blob/e9bc8b35c6c860e227627e3b0aab86b4f51c59af/string.c#L1291

When `rb_str_tmp_frozen_release` detects that it's safe to recycle a shared root, it undos the sharing. This is done by basically doing the reverse
of https://github.com/ruby/ruby/blob/e9bc8b35c6c860e227627e3b0aab86b4f51c59af/string.c#L1303-L1312. I think this is why `STR_NOFREE` is involved there.

My hunch is that there are ways to simplify away `STR_IS_SHARED_M` without compromising on performance. It feels unnecessarily complicated to me.
Luckily `STR_IS_SHARED_M` doesn't come in to play for Strings one could easily create in Ruby land...

I agree that there should be more documentation around the String's internal states and invariants. It would also be great if we could also rename some
struct members and variables. For example, `STR_SHARED`'s name is particularly unintuitive to me. A shared root is "shared", but it should not have `STR_SHARED` set.


----------------------------------------
Bug #16151: [PATCH] Fix a class of fstring related use-after-free
https://bugs.ruby-lang.org/issues/16151#change-81457

* Author: alanwu (Alan Wu)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.7.0dev (2019-09-07T18:26:35Z master e9bc8b35c6) [x86_64-linux]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
Pull request: https://github.com/ruby/ruby/pull/2435

## The bug

Run the following against master(e9bc8b3) to observe use-after-free:

```ruby
-('a' * 30).force_encoding(Encoding::ASCII)
a = ('a' * 30).force_encoding(Encoding::ASCII).taint

t = Thread.new{}
t.name = a
eval('', binding, t.name)
p a
```

```ruby
-('a' * 30).force_encoding(Encoding::ASCII)
a = ('a' * 30).force_encoding(Encoding::ASCII).taint

require 'ripper'
ripper = Ripper.new("", a)
eval('', binding, ripper.filename)
p a
```

There may be other cases in the standard library or in the wild.

## Background

When a string has both `STR_NOEMBED` and `STR_SHARED` set, it relies on a
different string for its buffer. I will refer to strings that are depended upon
as "shared roots". Shared roots are frozen and have the `STR_SHARED` unset.
This is a bit unintuitive to me. A name for `STR_SHARED` that makes more sense
to me would be `STR_BUFFER_ELSEWHERE`.

## What went wrong

It is not safe to free the buffer of a shared root while it has dependants. The
root and its dependants use the same buffer. As such, it is only safe to free
the shared buffer when all users are unreachable on the heap.

## The Fix

`rb_fstring` has a code path that frees and replaces the buffer of its input.
Using this code path on the shared root of dependant strings sets up
use-after-free. This patch removes the problematic code path as no tests
require said buffer replacement functionality. Additionally, there has been
three other issues that steam from this particular code path. See #15926,
#15916 and #16136

---

I used @mame's commit in #16136 as the starting point for this investigation.
Thank you!



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>