ruby/ruby-3.1.0-Fix-stack-buffer...

From cc44179cb8419b0e48ef9baa6f1722603643c1a0 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 17 Aug 2021 22:01:57 +0900
Subject: [PATCH] Fix stack buffer overflow

https://hackerone.com/reports/1306859
---
 include/ruby/internal/memory.h | 6 +++---
 random.c                       | 7 ++-----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h
index 7d24df4945..64f3101fc2 100644
--- a/include/ruby/internal/memory.h
+++ b/include/ruby/internal/memory.h
@@ -110,18 +110,18 @@ extern void *alloca();
     ((var) = RBIMPL_CAST((type *)ruby_xrealloc2((void *)(var), (n), sizeof(type))))
 
 #define ALLOCA_N(type,n) \
-    RBIMPL_CAST((type *)alloca(rbimpl_size_mul_or_raise(sizeof(type), (n))))
+    RBIMPL_CAST((type *)(!(n) ? NULL : alloca(rbimpl_size_mul_or_raise(sizeof(type), (n)))))
 
 /* allocates _n_ bytes temporary buffer and stores VALUE including it
  * in _v_.  _n_ may be evaluated twice. */
 #define RB_ALLOCV(v, n)        \
     ((n) < RUBY_ALLOCV_LIMIT ? \
-     ((v) = 0, alloca(n)) :    \
+     ((v) = 0, !(n) ? NULL : alloca(n)) : \
      rb_alloc_tmp_buffer(&(v), (n)))
 #define RB_ALLOCV_N(type, v, n)                             \
     RBIMPL_CAST((type *)                                     \
         (((size_t)(n) < RUBY_ALLOCV_LIMIT / sizeof(type)) ? \
-         ((v) = 0, alloca((n) * sizeof(type))) :            \
+         ((v) = 0, !(n) ? NULL : alloca((n) * sizeof(type))) : \
          rb_alloc_tmp_buffer2(&(v), (n), sizeof(type))))
 #define RB_ALLOCV_END(v) rb_free_tmp_buffer(&(v))
 
diff --git a/random.c b/random.c
index 7567d13dd7..4d70c17116 100644
--- a/random.c
+++ b/random.c
@@ -369,15 +369,12 @@ rand_init(const rb_random_interface_t *rng, rb_random_t *rnd, VALUE seed)
     int sign;
 
     len = rb_absint_numwords(seed, 32, NULL);
+    if (len == 0) len = 1;
     buf = ALLOCV_N(uint32_t, buf0, len);
     sign = rb_integer_pack(seed, buf, len, sizeof(uint32_t), 0,
         INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER);
     if (sign < 0)
         sign = -sign;
-    if (len == 0) {
-        buf[0] = 0;
-        len = 1;
-    }
     if (len > 1) {
         if (sign != 2 && buf[len-1] == 1) /* remove leading-zero-guard */
             len--;
@@ -814,7 +811,7 @@ rand_mt_init(rb_random_t *rnd, const uint32_t *buf, size_t len)
 {
     struct MT *mt = &((rb_random_mt_t *)rnd)->mt;
     if (len <= 1) {
-        init_genrand(mt, buf[0]);
+        init_genrand(mt, len ? buf[0] : 0);
     }
     else {
         init_by_array(mt, buf, (int)len);
-- 
2.34.1
Fix segfault in `TestArray#test_sample` on s390x. ~~~ ... snip ... [ 3104/21226] TestArray#test_sample/builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871: [BUG] Segmentation fault at 0x00000000c04fb000 ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [s390x-linux] -- Control frame information ----------------------------------------------- c:0031 p:---- s:0176 e:000175 CFUNC :srand c:0030 p:0011 s:0171 e:000170 METHOD /builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871 c:0029 p:0052 s:0165 e:000164 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1283 c:0028 p:0065 s:0159 e:000158 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1330 c:0027 p:0013 s:0150 e:000149 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit/testcase.rb:18 c:0026 p:0077 s:0145 e:000144 BLOCK /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:979 [FINISH] c:0025 p:---- s:0138 e:000137 CFUNC :map c:0024 p:0006 s:0134 E:0012c8 BLOCK /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972 c:0023 p:0186 s:0130 E:000ba0 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:999 c:0022 p:0042 s:0118 E:000888 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1136 c:0021 p:0010 s:0111 E:0007a0 BLOCK /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:627 [FINISH] c:0020 p:---- s:0105 e:000104 CFUNC :each c:0019 p:0054 s:0101 E:001588 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625 c:0018 p:0008 s:0094 E:001eb8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:662 c:0017 p:0140 s:0087 E:0011a8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:908 c:0016 p:0016 s:0074 E:001ca8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1073 c:0015 p:0005 s:0069 E:000710 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1147 c:0014 p:0006 s:0065 E:000438 BLOCK /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1134 [FINISH] c:0013 p:---- s:0061 e:000060 CFUNC :each c:0012 p:0047 s:0057 E:0022b8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133 c:0011 p:0013 s:0052 E:000288 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1121 c:0010 p:0008 s:0047 E:000c70 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:847 c:0009 p:0008 s:0041 E:0008d0 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:695 c:0008 p:0015 s:0035 E:001f08 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:34 c:0007 p:0006 s:0030 E:0003c8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1175 c:0006 p:0032 s:0025 E:000e80 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1245 c:0005 p:0009 s:0021 E:0018b8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1249 c:0004 p:0172 s:0016 E:0001b8 TOP /builddir/build/BUILD/ruby-3.0.3/tool/test/runner.rb:23 [FINISH] c:0003 p:---- s:0011 e:000010 CFUNC :require_relative c:0002 p:0092 s:0006 E:001bf0 EVAL ./test/runner.rb:11 [FINISH] c:0001 p:0000 s:0003 E:0004f0 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- ./test/runner.rb:11:in `<main>' ./test/runner.rb:11:in `require_relative' /builddir/build/BUILD/ruby-3.0.3/tool/test/runner.rb:23:in `<top (required)>' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1249:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1245:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1175:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:34:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:695:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:847:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1121:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133:in `_run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133:in `each' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1134:in `block in _run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1147:in `run_tests' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1073:in `_run_anything' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:908:in `_run_anything' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:662:in `_run_suites' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625:in `_run_suites' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625:in `each' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:627:in `block in _run_suites' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1136:in `_run_suite' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:999:in `_run_suite' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972:in `block in _run_suite' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972:in `map' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:979:in `block (2 levels) in _run_suite' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit/testcase.rb:18:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1330:in `run' /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1283:in `run_test' /builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871:in `test_sample' /builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871:in `srand' -- C level backtrace information ------------------------------------------- /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_print_backtrace+0x1c) [0x3ffab964c5c] vm_dump.c:758 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_bugreport.constprop.0+0x4ba) [0x3ffab977f0a] vm_dump.c:998 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_bug_for_fatal_signal+0xb2) [0x3ffab7b2252] error.c:786 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(sigsegv+0x58) [0x3ffab8d2fb8] signal.c:963 [0x3ffabb7e490] /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_free_tmp_buffer+0x4) [0x3ffab7d1114] gc.c:11047 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rand_init+0x122) [0x3ffab896892] random.c:387 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_f_srand+0x6e) [0x3ffab8975fe] random.c:873 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0xe6) [0x3ffab947d16] insns.def:789 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_collect.lto_priv.0+0x6a) [0x3ffab742d6a] array.c:3635 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_each+0x4c) [0x3ffab742aac] array.c:2523 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_method_each_type+0x530) [0x3ffab942d20] vm_insnhelper.c:3400 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_each+0x4c) [0x3ffab742aac] array.c:2523 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_method_each_type+0x530) [0x3ffab942d20] vm_insnhelper.c:3400 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(require_internal.lto_priv.0+0xbc6) [0x3ffab809be6] load.c:1109 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_require_string+0x48) [0x3ffab809db8] load.c:1186 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0xe6) [0x3ffab947d16] insns.def:789 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ec_exec_node+0x10c) [0x3ffab7b71ac] eval.c:317 /builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(ruby_run_node+0x70) [0x3ffab7b72c0] eval.c:375 [0x2aa26e811f0] [0x3ffab4b3872] [0x3ffab4b3950] [0x2aa26e81250] ... snip ... ~~~ Related: rhbz#2049693 2022-01-20 10:07:32 +00:00			`From cc44179cb8419b0e48ef9baa6f1722603643c1a0 Mon Sep 17 00:00:00 2001`
			`From: Nobuyoshi Nakada <nobu@ruby-lang.org>`
			`Date: Tue, 17 Aug 2021 22:01:57 +0900`
			`Subject: [PATCH] Fix stack buffer overflow`

			`https://hackerone.com/reports/1306859`
			`---`
			`include/ruby/internal/memory.h \| 6 +++---`
			`random.c \| 7 ++-----`
			`2 files changed, 5 insertions(+), 8 deletions(-)`

			`diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h`
			`index 7d24df4945..64f3101fc2 100644`
			`--- a/include/ruby/internal/memory.h`
			`+++ b/include/ruby/internal/memory.h`
			`@@ -110,18 +110,18 @@ extern void *alloca();`
			`((var) = RBIMPL_CAST((type )ruby_xrealloc2((void )(var), (n), sizeof(type))))`

			`#define ALLOCA_N(type,n) \`
			`- RBIMPL_CAST((type *)alloca(rbimpl_size_mul_or_raise(sizeof(type), (n))))`
			`+ RBIMPL_CAST((type *)(!(n) ? NULL : alloca(rbimpl_size_mul_or_raise(sizeof(type), (n)))))`

			`/* allocates _n_ bytes temporary buffer and stores VALUE including it`
			`* in _v_. _n_ may be evaluated twice. */`
			`#define RB_ALLOCV(v, n) \`
			`((n) < RUBY_ALLOCV_LIMIT ? \`
			`- ((v) = 0, alloca(n)) : \`
			`+ ((v) = 0, !(n) ? NULL : alloca(n)) : \`
			`rb_alloc_tmp_buffer(&(v), (n)))`
			`#define RB_ALLOCV_N(type, v, n) \`
			`RBIMPL_CAST((type *) \`
			`(((size_t)(n) < RUBY_ALLOCV_LIMIT / sizeof(type)) ? \`
			`- ((v) = 0, alloca((n) * sizeof(type))) : \`
			`+ ((v) = 0, !(n) ? NULL : alloca((n) * sizeof(type))) : \`
			`rb_alloc_tmp_buffer2(&(v), (n), sizeof(type))))`
			`#define RB_ALLOCV_END(v) rb_free_tmp_buffer(&(v))`

			`diff --git a/random.c b/random.c`
			`index 7567d13dd7..4d70c17116 100644`
			`--- a/random.c`
			`+++ b/random.c`
			`@@ -369,15 +369,12 @@ rand_init(const rb_random_interface_t rng, rb_random_t rnd, VALUE seed)`
			`int sign;`

			`len = rb_absint_numwords(seed, 32, NULL);`
			`+ if (len == 0) len = 1;`
			`buf = ALLOCV_N(uint32_t, buf0, len);`
			`sign = rb_integer_pack(seed, buf, len, sizeof(uint32_t), 0,`
			`INTEGER_PACK_LSWORD_FIRST\|INTEGER_PACK_NATIVE_BYTE_ORDER);`
			`if (sign < 0)`
			`sign = -sign;`
			`- if (len == 0) {`
			`- buf[0] = 0;`
			`- len = 1;`
			`- }`
			`if (len > 1) {`
			`if (sign != 2 && buf[len-1] == 1) /* remove leading-zero-guard */`
			`len--;`
			`@@ -814,7 +811,7 @@ rand_mt_init(rb_random_t rnd, const uint32_t buf, size_t len)`
			`{`
			`struct MT mt = &((rb_random_mt_t )rnd)->mt;`
			`if (len <= 1) {`
			`- init_genrand(mt, buf[0]);`
			`+ init_genrand(mt, len ? buf[0] : 0);`
			`}`
			`else {`
			`init_by_array(mt, buf, (int)len);`
			`--`
			`2.34.1`