Forum: Ruby-core [ruby-trunk - Bug #9157][Open] rb_readlink() calls rb_str_modify_expand() too early

Ce252bcdfc2b04ccf107049b761421e6?d=identicon&s=25 nowacki (Maciek Nowacki) (Guest)
on 2013-11-26 07:13
(Received via mailing list)
Issue #9157 has been reported by nowacki (Maciek Nowacki).

----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157

Author: nowacki (Maciek Nowacki)
Status: Open
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
Ed1873a62e937acc77e905b71da7a36a?d=identicon&s=25 Alex Antonov (asiniy)
on 2013-11-26 07:19
(Received via mailing list)
unsubscribe
F1d6cc2b735bfd82c8773172da2aeab9?d=identicon&s=25 Nobuyoshi Nakada (nobu)
on 2013-11-26 08:32
(Received via mailing list)
Issue #9157 has been updated by nobu (Nobuyoshi Nakada).

Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: DONTNEED,
2.0.0: REQUIRED


----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43167

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
Ce252bcdfc2b04ccf107049b761421e6?d=identicon&s=25 nowacki (Maciek Nowacki) (Guest)
on 2013-11-26 22:04
(Received via mailing list)
Issue #9157 has been updated by nowacki (Maciek Nowacki).


nobu (Nobuyoshi Nakada) wrote:
> This issue was solved with changeset r43853.
Ah, I didn't realize that rb_str_modify_expand() takes a difference as
its argument, not the total buffer length. This works because the
function doubles the buffer size, which is the same as adding as much
buffer capacity as is already present (size before *=2). My proposed fix
simply made the problem less obvious. Interesting.

>   need to set the length properly for each expansion.
>   [ruby-core:58592] [Bug #9157]


----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43179

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
74cdbb5a40cde4150b0f115f6d4620b2?d=identicon&s=25 vpereira (Victor Pereira) (Guest)
on 2013-11-27 18:10
(Received via mailing list)
Issue #9157 has been updated by vpereira (Victor Pereira).


does it deserves a CVE?
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43214

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
F1d6cc2b735bfd82c8773172da2aeab9?d=identicon&s=25 Nobuyoshi Nakada (nobu)
on 2013-11-30 00:57
(Received via mailing list)
Issue #9157 has been updated by nobu (Nobuyoshi Nakada).


No, just a usual bug which aborts by local filesystem access.
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43271

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
5cf8f058a4c094bb708174fb43e7a387?d=identicon&s=25 nagachika (Tomoyuki Chikanaga) (Guest)
on 2013-12-02 15:08
(Received via mailing list)
Issue #9157 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 1.9.3: DONTNEED, 2.0.0: REQUIRED to 1.9.3:
DONTNEED, 2.0.0: DONE

r43853 was backported to ruby_2_0_0 branch at r43959.
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43363

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee:
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: DONE


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to
crash. This is present in -trunk. The problem is that the
rb_str_modify_expand() statement is incorrectly placed before the
statement 'size*=2'. Here is a patch:

--- -  2013-11-25 22:10:59.694183795 -0700
+++ file.c  2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
      || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
  ) {
-  rb_str_modify_expand(v, size);
  size *= 2;
+  rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
  rb_str_resize(v, 0);
This topic is locked and can not be replied to.