From: "byroot (Jean Boussier) via ruby-core" Date: 2025-07-01T06:38:47+00:00 Subject: [ruby-core:122635] [Ruby Bug#21461] Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete Issue #21461 has been updated by byroot (Jean Boussier). Assignee set to prism ---------------------------------------- Bug #21461: Heap-buffer-overflow in Prism when encoding magic comment is invalid and assignment is incomplete https://bugs.ruby-lang.org/issues/21461#change-113908 * Author: bendrissou (Bachir Bendrissou) * Status: Open * Assignee: prism * ruby -v: 3.5.0 * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ### Description An AddressSanitizer (ASan) heap-buffer-overflow occurs in Ruby when: 1. The file contains an invalid magic encoding comment, and 2. A line with incomplete assignment (e.g. missing right-hand side). This leads to a crash in pm_parse_errors_format_sort, caused by prism_compile.c accessing a freed or uninitialized memory region. ### Input ``` # -*- coding: abc -*- $a = ``` ### Expected output ``` unknown or invalid encoding in the magic comment (ArgumentError) ``` ### ASAN output ``` ================================================================= ==719525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002af88 at pc 0x559137d4f16a bp 0x7ffd85551fe0 sp 0x7ffd85551fd0 WRITE of size 8 at 0x60300002af88 thread T0 #0 0x559137d4f169 in pm_parse_errors_format_sort ../prism_compile.c:10620 #1 0x559137d4f169 in pm_parse_errors_format ../prism_compile.c:10687 #2 0x559137e08753 in pm_parse_process_error ../prism_compile.c:10999 #3 0x559137e08753 in pm_parse_process ../prism_compile.c:11105 #4 0x559137e7811d in pm_parse_file ../prism_compile.c:11391 #5 0x559137960743 in prism_script ../ruby.c:2236 #6 0x559137960743 in process_options ../ruby.c:2563 #7 0x55913796228f in ruby_process_options ../ruby.c:3199 #8 0x5591376a2406 in ruby_options ../eval.c:117 #9 0x5591376937fe in rb_main ../main.c:42 #10 0x5591376937fe in main ../main.c:62 #11 0x7f69beed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #12 0x559137694dcd in _start (/home/program/build/ruby+0x15cdcd) 0x60300002af88 is located 0 bytes to the right of 24-byte region [0x60300002af70,0x60300002af88) allocated by thread T0 here: #0 0x7f69bf427a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x5591377119bd in calloc1 ../gc/default/default.c:1490 #2 0x5591377119bd in rb_gc_impl_calloc ../gc/default/default.c:8162 #3 0x5591377119bd in ruby_xcalloc_body ../gc.c:5327 SUMMARY: AddressSanitizer: heap-buffer-overflow ../prism_compile.c:10620 in pm_parse_errors_format_sort Shadow bytes around the buggy address: 0x0c067fffd5a0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa 0x0c067fffd5b0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fffd5c0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 0x0c067fffd5d0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd 0x0c067fffd5e0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 =>0x0c067fffd5f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffd600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffd610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==719525==ABORTING input.rb: [BUG] ASAN error ruby 3.5.0dev (2025-06-11T18:07:43Z master 970813d982) +PRISM [x86_64-linux] -- Control frame information ----------------------------------------------- c:0001 p:0000 s:0003 E:000720 DUMMY [FINISH] -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- /lib/x86_64-linux-gnu/libasan.so.5(__interceptor_backtrace+0x40) [0x7f69bf386d40] ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:4022 /home/program/build/ruby(rb_print_backtrace+0x11) [0x559137fceda9] ../vm_dump.c:843 /home/program/build/ruby(rb_vm_bugreport) ../vm_dump.c:1175 /home/program/build/ruby(rb_bug_without_die_internal+0xc3) [0x559137efa4b6] ../error.c:1097 /home/program/build/ruby(rb_bug_without_die) ../error.c:1106 /lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf44fe58) [0x7f69bf44fe58] /lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43152c) [0x7f69bf43152c] /lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf430fa3) [0x7f69bf430fa3] /lib/x86_64-linux-gnu/libasan.so.5(0x7f69bf43238e) [0x7f69bf43238e] /home/program/build/ruby(pm_parse_errors_format_sort+0x12) [0x559137d4f16a] ../prism_compile.c:10620 /home/program/build/ruby(pm_parse_errors_format) ../prism_compile.c:10687 /home/program/build/ruby(pm_parse_process_error+0x84) [0x559137e08754] ../prism_compile.c:10999 /home/program/build/ruby(pm_parse_process) ../prism_compile.c:11105 /home/program/build/ruby(rbimpl_intern_const+0x0) [0x559137e7811e] ../prism_compile.c:11391 /home/program/build/ruby(pm_parse_file) ../prism_compile.c:11396 /home/program/build/ruby(prism_script+0xa4) [0x559137960744] ../ruby.c:2236 /home/program/build/ruby(process_options) ../ruby.c:2563 /home/program/build/ruby(ruby_process_options+0x3f0) [0x559137962290] ../ruby.c:3199 /home/program/build/ruby(ruby_options+0x2a7) [0x5591376a2407] ../eval.c:117 /home/program/build/ruby(rb_main+0x19) [0x5591376937ff] ../main.c:42 /home/program/build/ruby(main) ../main.c:62 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f69beed2083] /home/program/build/ruby(_start) [0x559137694dce] -- Other runtime information ----------------------------------------------- * Loaded script: input.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 fiber.so 3 rational.so 4 complex.so 5 ruby2_keywords.rb 6 set.rb ``` ### Environment Ruby version: ruby 3.5.0dev (2025-06-11 commit 970813d982) +PRISM Platform: x86_64-linux Built from source Parser backend: Prism (default) -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/