Segfaults in ruby 3.0.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby3.0 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Utkarsh Gupta | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
========
The array.c functions rb_ary_slice_bang / ary_slice_
[Test Plan]
===========
$ lxc launch images:ubuntu/jammy jtemp --vm
$ lxc shell jtemp
# apt update && apt install valgrind ruby3.0
# echo '(1..5000)
# valgrind ruby lp1982703.rb |& tee lp1982703.valgrind
# grep "Invalid read of size 8" -A4 lp1982703.valgrind
You'll see:
```
==228628== Invalid read of size 8
==228628== at 0x48428C0: memmove (vg_replace_
==228628== by 0x356542: ary_memcpy (array.c:316)
==228628== by 0x356542: rb_ary_
==228628== by 0x356542: rb_ary_
==228628== by 0x356542: ary_slice_
==228628== by 0x35E1DB: rb_ary_slice_bang (array.c:4186)
```
and respective HEAP and LEAK SUMMARY.
[Where Problems Could Occur]
=======
The fix is a one-line, trivial patch which fixes the length calculation for Array#slice! by moving the respective check out of an if..elseif clause to its separate if clause - making sure it's checked always.
It's hard for things to go wrong further there because it was already resulting in an invalid memory access.
One thing that could go wrong is where people have made workarounds - for instance, instead of passing start, index values like Array#slice!(start, index), one would workaround this bug by changing that to Array#slice!
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 59 lines (+37/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-length-calc-for-Array#slice.patch (+29/-0)
debian/patches/series (+1/-0)
CVE References
Changed in ruby3.0 (Ubuntu Jammy): | |
importance: | Undecided → High |
assignee: | Lucas Kanashiro (lucaskanashiro) → nobody |
Changed in ruby3.0 (Ubuntu Kinetic): | |
assignee: | Lucas Kanashiro (lucaskanashiro) → nobody |
Changed in ruby3.0 (Ubuntu Jammy): | |
assignee: | nobody → Utkarsh Gupta (utkarsh) |
status: | New → Confirmed |
description: | updated |
Thanks for taking the time to report this bug and trying to make Ubuntu better.
This is affecting kinetic and jammy. In Jammy, we need a SRU and a backport of the fix is what we need. In Kinetic, I'll see what is the best approach but maybe we should merge version 3.0.4-7 from Debian unstable.