Issue #7402 has been reported by charliesome (Charlie Somerville). ---------------------------------------- Bug #7402: Avoid calling methods on user objects from segfault handler https://bugs.ruby-lang.org/issues/7402 Author: charliesome (Charlie Somerville) Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: ruby 2.0.0dev (2012-11-19 trunk 37722) [x86_64-darwin11.4.0] When the segfault handler is listing loaded features, it iterates through $LOADED_FEATURES and calls StringValueCStr() on each item. This in turn calls #to_str on the object. If a #to_str method is defined on a non-T_STRING, it is possible to have code run during the segfault handler. If an exception is raised or a tag is thrown, it is possible to escape the segfault handler and recover from a segmentation fault. I've attached a patch that checks if an item in $LOADED_FEATURES is a T_STRING, and calls rb_any_to_s() if not. This will avoid calling any methods which could potentially call back into Ruby-land.
on 2012-11-19 10:34
on 2012-11-24 10:24
Issue #7402 has been updated by mame (Yusuke Endoh). Status changed from Open to Assigned Assignee set to ko1 (Koichi Sasada) Target version set to 2.0.0 ---------------------------------------- Bug #7402: Avoid calling methods on user objects from segfault handler https://bugs.ruby-lang.org/issues/7402#change-33807 Author: charliesome (Charlie Somerville) Status: Assigned Priority: Normal Assignee: ko1 (Koichi Sasada) Category: Target version: 2.0.0 ruby -v: ruby 2.0.0dev (2012-11-19 trunk 37722) [x86_64-darwin11.4.0] When the segfault handler is listing loaded features, it iterates through $LOADED_FEATURES and calls StringValueCStr() on each item. This in turn calls #to_str on the object. If a #to_str method is defined on a non-T_STRING, it is possible to have code run during the segfault handler. If an exception is raised or a tag is thrown, it is possible to escape the segfault handler and recover from a segmentation fault. I've attached a patch that checks if an item in $LOADED_FEATURES is a T_STRING, and calls rb_any_to_s() if not. This will avoid calling any methods which could potentially call back into Ruby-land.
on 2012-11-26 02:01
Issue #7402 has been updated by ko1 (Koichi Sasada). Assignee changed from ko1 (Koichi Sasada) to nobu (Nobuyoshi Nakada) nobu, could you check it? ---------------------------------------- Bug #7402: Avoid calling methods on user objects from segfault handler https://bugs.ruby-lang.org/issues/7402#change-33926 Author: charliesome (Charlie Somerville) Status: Assigned Priority: Normal Assignee: nobu (Nobuyoshi Nakada) Category: Target version: 2.0.0 ruby -v: ruby 2.0.0dev (2012-11-19 trunk 37722) [x86_64-darwin11.4.0] When the segfault handler is listing loaded features, it iterates through $LOADED_FEATURES and calls StringValueCStr() on each item. This in turn calls #to_str on the object. If a #to_str method is defined on a non-T_STRING, it is possible to have code run during the segfault handler. If an exception is raised or a tag is thrown, it is possible to escape the segfault handler and recover from a segmentation fault. I've attached a patch that checks if an item in $LOADED_FEATURES is a T_STRING, and calls rb_any_to_s() if not. This will avoid calling any methods which could potentially call back into Ruby-land.
on 2012-12-12 09:37
Issue #7402 has been updated by naruse (Yui NARUSE). Status changed from Assigned to Closed r38335 fixed testing issue: it generates garbage core file. ---------------------------------------- Backport #7402: Avoid calling methods on user objects from segfault handler https://bugs.ruby-lang.org/issues/7402#change-34653 Author: charliesome (Charlie Somerville) Status: Closed Priority: Normal Assignee: usa (Usaku NAKAMURA) Category: Target version: When the segfault handler is listing loaded features, it iterates through $LOADED_FEATURES and calls StringValueCStr() on each item. This in turn calls #to_str on the object. If a #to_str method is defined on a non-T_STRING, it is possible to have code run during the segfault handler. If an exception is raised or a tag is thrown, it is possible to escape the segfault handler and recover from a segmentation fault. I've attached a patch that checks if an item in $LOADED_FEATURES is a T_STRING, and calls rb_any_to_s() if not. This will avoid calling any methods which could potentially call back into Ruby-land.
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.