Forum: Ruby-core segmentation fault/buffer overrun in pack.c (encodes)

0bf22001ef2821e76ee1e922b946afca?d=identicon&s=25 unknown (Guest)
on 2014-08-04 12:42
(Received via mailing list)
Issue #10019 has been updated by Tomas Hoger.


This seems to be getting off-topic, so just few quick notes:

* It seems -fstack-protector* (SSP) is what is referred to in the
previous comment, not FORTIFY_SOURCE.
* If there is encodes()'s buff[] overflow, it corrupts encodes()'s SSP
cookie, that is only checked on exit from encodes().  rb_str_buf_cat()
called from encodes() after overflow does not matter, as it may or may
not have it's own SSP cookie, that is checked at its exit, and that's
not corrupted by buff[] overflow.  So the check leading to rb_bug() is
still expected to happen, as the corrupted SSP cookie is only checked
later.
* The first byte of the SSP cookie is expected to be '\0' on e.g. recent
Linux systems (https://sourceware.org/bugzilla/show_bug.cgi?id=10149).
Hence off-by-one overflow with '\0' would not be detected.

----------------------------------------
Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
https://bugs.ruby-lang.org/issues/10019#change-48187

* Author: Will Wood
* Status: Feedback
* Priority: Normal
* Assignee:
* Category: core
* Target version:
* ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
* Backport: 2.0.0: REQUIRED, 2.1: DONE
This topic is locked and can not be replied to.