From fef07c3b45964fee72b0d8d2aa5b4607e6cf01ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
Date: Thu, 20 Jan 2022 11:07:32 +0100
Subject: [PATCH] Fix segfault in `TestArray#test_sample` on s390x.

~~~
... snip ...

[ 3104/21226] TestArray#test_sample/builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871: [BUG] Segmentation fault at 0x00000000c04fb000
ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [s390x-linux]
-- Control frame information -----------------------------------------------
c:0031 p:---- s:0176 e:000175 CFUNC  :srand
c:0030 p:0011 s:0171 e:000170 METHOD /builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871
c:0029 p:0052 s:0165 e:000164 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1283
c:0028 p:0065 s:0159 e:000158 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1330
c:0027 p:0013 s:0150 e:000149 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit/testcase.rb:18
c:0026 p:0077 s:0145 e:000144 BLOCK  /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:979 [FINISH]
c:0025 p:---- s:0138 e:000137 CFUNC  :map
c:0024 p:0006 s:0134 E:0012c8 BLOCK  /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972
c:0023 p:0186 s:0130 E:000ba0 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:999
c:0022 p:0042 s:0118 E:000888 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1136
c:0021 p:0010 s:0111 E:0007a0 BLOCK  /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:627 [FINISH]
c:0020 p:---- s:0105 e:000104 CFUNC  :each
c:0019 p:0054 s:0101 E:001588 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625
c:0018 p:0008 s:0094 E:001eb8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:662
c:0017 p:0140 s:0087 E:0011a8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:908
c:0016 p:0016 s:0074 E:001ca8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1073
c:0015 p:0005 s:0069 E:000710 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1147
c:0014 p:0006 s:0065 E:000438 BLOCK  /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1134 [FINISH]
c:0013 p:---- s:0061 e:000060 CFUNC  :each
c:0012 p:0047 s:0057 E:0022b8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133
c:0011 p:0013 s:0052 E:000288 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1121
c:0010 p:0008 s:0047 E:000c70 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:847
c:0009 p:0008 s:0041 E:0008d0 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:695
c:0008 p:0015 s:0035 E:001f08 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:34
c:0007 p:0006 s:0030 E:0003c8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1175
c:0006 p:0032 s:0025 E:000e80 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1245
c:0005 p:0009 s:0021 E:0018b8 METHOD /builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1249
c:0004 p:0172 s:0016 E:0001b8 TOP    /builddir/build/BUILD/ruby-3.0.3/tool/test/runner.rb:23 [FINISH]
c:0003 p:---- s:0011 e:000010 CFUNC  :require_relative
c:0002 p:0092 s:0006 E:001bf0 EVAL   ./test/runner.rb:11 [FINISH]
c:0001 p:0000 s:0003 E:0004f0 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
./test/runner.rb:11:in `<main>'
./test/runner.rb:11:in `require_relative'
/builddir/build/BUILD/ruby-3.0.3/tool/test/runner.rb:23:in `<top (required)>'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1249:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1245:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1175:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:34:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:695:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:847:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1121:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133:in `_run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1133:in `each'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1134:in `block in _run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1147:in `run_tests'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1073:in `_run_anything'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:908:in `_run_anything'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:662:in `_run_suites'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625:in `_run_suites'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:625:in `each'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:627:in `block in _run_suites'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1136:in `_run_suite'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:999:in `_run_suite'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972:in `block in _run_suite'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:972:in `map'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:979:in `block (2 levels) in _run_suite'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit/testcase.rb:18:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/minitest/unit.rb:1330:in `run'
/builddir/build/BUILD/ruby-3.0.3/tool/lib/test/unit.rb:1283:in `run_test'
/builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871:in `test_sample'
/builddir/build/BUILD/ruby-3.0.3/test/ruby/test_array.rb:2871:in `srand'
-- C level backtrace information -------------------------------------------
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_print_backtrace+0x1c) [0x3ffab964c5c] vm_dump.c:758
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_bugreport.constprop.0+0x4ba) [0x3ffab977f0a] vm_dump.c:998
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_bug_for_fatal_signal+0xb2) [0x3ffab7b2252] error.c:786
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(sigsegv+0x58) [0x3ffab8d2fb8] signal.c:963
[0x3ffabb7e490]
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_free_tmp_buffer+0x4) [0x3ffab7d1114] gc.c:11047
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rand_init+0x122) [0x3ffab896892] random.c:387
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_f_srand+0x6e) [0x3ffab8975fe] random.c:873
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0xe6) [0x3ffab947d16] insns.def:789
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_collect.lto_priv.0+0x6a) [0x3ffab742d6a] array.c:3635
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_each+0x4c) [0x3ffab742aac] array.c:2523
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_method_each_type+0x530) [0x3ffab942d20] vm_insnhelper.c:3400
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_yield+0xaa) [0x3ffab951a6a] vm.c:1398
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ary_each+0x4c) [0x3ffab742aac] array.c:2523
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_method_each_type+0x530) [0x3ffab942d20] vm_insnhelper.c:3400
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0x21c0) [0x3ffab949df0] insns.def:770
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(require_internal.lto_priv.0+0xbc6) [0x3ffab809be6] load.c:1109
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_require_string+0x48) [0x3ffab809db8] load.c:1186
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_call_cfunc_with_frame+0x170) [0x3ffab9421f0] vm_insnhelper.c:2931
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_sendish+0x53a) [0x3ffab94659a] vm_insnhelper.c:4532
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(vm_exec_core.lto_priv.0+0xe6) [0x3ffab947d16] insns.def:789
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_vm_exec+0x1ee) [0x3ffab96129e] vm.c:2172
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(rb_ec_exec_node+0x10c) [0x3ffab7b71ac] eval.c:317
/builddir/build/BUILD/ruby-3.0.3/libruby.so.3.0.3(ruby_run_node+0x70) [0x3ffab7b72c0] eval.c:375
[0x2aa26e811f0]
[0x3ffab4b3872]
[0x3ffab4b3950]
[0x2aa26e81250]

... snip ...
~~~

Related: rhbz#2049693
---
 ruby-3.1.0-Fix-stack-buffer-overflow.patch | 70 ++++++++++++++++++++++
 ruby.spec                                  |  8 +++
 2 files changed, 78 insertions(+)
 create mode 100644 ruby-3.1.0-Fix-stack-buffer-overflow.patch

diff --git a/ruby-3.1.0-Fix-stack-buffer-overflow.patch b/ruby-3.1.0-Fix-stack-buffer-overflow.patch
new file mode 100644
index 0000000..4e842ff
--- /dev/null
+++ b/ruby-3.1.0-Fix-stack-buffer-overflow.patch
@@ -0,0 +1,70 @@
+From cc44179cb8419b0e48ef9baa6f1722603643c1a0 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Tue, 17 Aug 2021 22:01:57 +0900
+Subject: [PATCH] Fix stack buffer overflow
+
+https://hackerone.com/reports/1306859
+---
+ include/ruby/internal/memory.h | 6 +++---
+ random.c                       | 7 ++-----
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h
+index 7d24df4945..64f3101fc2 100644
+--- a/include/ruby/internal/memory.h
++++ b/include/ruby/internal/memory.h
+@@ -110,18 +110,18 @@ extern void *alloca();
+     ((var) = RBIMPL_CAST((type *)ruby_xrealloc2((void *)(var), (n), sizeof(type))))
+ 
+ #define ALLOCA_N(type,n) \
+-    RBIMPL_CAST((type *)alloca(rbimpl_size_mul_or_raise(sizeof(type), (n))))
++    RBIMPL_CAST((type *)(!(n) ? NULL : alloca(rbimpl_size_mul_or_raise(sizeof(type), (n)))))
+ 
+ /* allocates _n_ bytes temporary buffer and stores VALUE including it
+  * in _v_.  _n_ may be evaluated twice. */
+ #define RB_ALLOCV(v, n)        \
+     ((n) < RUBY_ALLOCV_LIMIT ? \
+-     ((v) = 0, alloca(n)) :    \
++     ((v) = 0, !(n) ? NULL : alloca(n)) : \
+      rb_alloc_tmp_buffer(&(v), (n)))
+ #define RB_ALLOCV_N(type, v, n)                             \
+     RBIMPL_CAST((type *)                                     \
+         (((size_t)(n) < RUBY_ALLOCV_LIMIT / sizeof(type)) ? \
+-         ((v) = 0, alloca((n) * sizeof(type))) :            \
++         ((v) = 0, !(n) ? NULL : alloca((n) * sizeof(type))) : \
+          rb_alloc_tmp_buffer2(&(v), (n), sizeof(type))))
+ #define RB_ALLOCV_END(v) rb_free_tmp_buffer(&(v))
+ 
+diff --git a/random.c b/random.c
+index 7567d13dd7..4d70c17116 100644
+--- a/random.c
++++ b/random.c
+@@ -369,15 +369,12 @@ rand_init(const rb_random_interface_t *rng, rb_random_t *rnd, VALUE seed)
+     int sign;
+ 
+     len = rb_absint_numwords(seed, 32, NULL);
++    if (len == 0) len = 1;
+     buf = ALLOCV_N(uint32_t, buf0, len);
+     sign = rb_integer_pack(seed, buf, len, sizeof(uint32_t), 0,
+         INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER);
+     if (sign < 0)
+         sign = -sign;
+-    if (len == 0) {
+-        buf[0] = 0;
+-        len = 1;
+-    }
+     if (len > 1) {
+         if (sign != 2 && buf[len-1] == 1) /* remove leading-zero-guard */
+             len--;
+@@ -814,7 +811,7 @@ rand_mt_init(rb_random_t *rnd, const uint32_t *buf, size_t len)
+ {
+     struct MT *mt = &((rb_random_mt_t *)rnd)->mt;
+     if (len <= 1) {
+-        init_genrand(mt, buf[0]);
++        init_genrand(mt, len ? buf[0] : 0);
+     }
+     else {
+         init_by_array(mt, buf, (int)len);
+-- 
+2.34.1
+
diff --git a/ruby.spec b/ruby.spec
index 49b07dd..e23f7e1 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -169,6 +169,9 @@ Patch21: ruby-3.1.0-Properly-exclude-test-cases.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2027099
 # https://github.com/rubygems/rubygems/pull/5154
 Patch22: rubygems-3.2.33-Fix-loading-operating_system-rb-customizations-too-late.patch
+# Fix segfault in `TestArray#test_sample` on s390x.
+# https://github.com/ruby/ruby/pull/5239
+Patch23: ruby-3.1.0-Fix-stack-buffer-overflow.patch
 
 # OpenSSL 3.0 compatibility patches
 
@@ -620,6 +623,7 @@ rm -rf ext/fiddle/libffi*
 %patch19 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
 %patch30 -p1 -R
 %patch40 -p1
 
@@ -1438,6 +1442,10 @@ mv test/fiddle/test_import.rb{,.disable}
 
 
 %changelog
+* Thu Jan 20 2022 Vít Ondruch <vondruch@redhat.com> - 3.0.3-157
+- Fix segfault in `TestArray#test_sample` on s390x.
+  Related: rhbz#2049693
+
 * Tue Jan 11 2022 Jun Aruga <jaruga@redhat.com> - 3.0.3-157
 - Remove the patch applied to pass the test/fiddle/test_import.rb on PPC.
   Related: rhbz#2049693