[patch] fixed dynamic-stack-buffer-overflow with ruby interface

Dominique Pellé Sun, 03 Sep 2017 02:11:51 -0700

Hi

asan (address sanitizer) detects a dynamic-stack-buffer-overflow
error when running "make test_ruby" with a clang asan build:


=================================================================
==29048==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on
address 0x7fff38a7a0f6 at pc 0x0000004d3e31 bp 0x7fff38a7a0b0 sp
0x7fff38a79860
WRITE of size 23 at 0x7fff38a7a0f6 thread T0
    #0 0x4d3e30 in strcpy ??:?
    #1 0x4d3e30 in ?? ??:0
    #2 0xce3ff3 in vim_message /home/pel/sb/vim/src/if_ruby.c:988
(discriminator 3)
    #3 0xce3ff3 in ?? ??:0
    #4 0x7f34af1aefed in rb_iseq_eval_main ??:?
    #5 0x7f34af1aefed in ?? ??:0
    #6 0x7f34af1afb71 in rb_iseq_eval_main ??:?
    #7 0x7f34af1afb71 in ?? ??:0
    #8 0x7f34af0c22ce in rb_io_write ??:?
    #9 0x7f34af0c22ce in ?? ??:0
    #10 0x7f34af0c233d in rb_io_print ??:?
    #11 0x7f34af0c233d in ?? ??:0
    #12 0x7f34af0c23d2 in rb_io_print ??:?
    #13 0x7f34af0c23d2 in ?? ??:0
    #14 0x7f34af1a450a in rb_iter_break_value ??:?
    #15 0x7f34af1a450a in ?? ??:0
    #16 0x7f34af1b24a2 in rb_yield_block ??:?
    #17 0x7f34af1b24a2 in ?? ??:0
    #18 0x7f34af1b34d2 in rb_yield_block ??:?
    #19 0x7f34af1b34d2 in ?? ??:0
    #20 0x7f34af1a8268 in rb_check_funcall ??:?
    #21 0x7f34af1a8268 in ?? ??:0
    #22 0x7f34af1ad141 in rb_check_funcall ??:?
    #23 0x7f34af1ad141 in ?? ??:0
    #24 0x7f34af1ae4eb in rb_mod_module_exec ??:?
    #25 0x7f34af1ae4eb in ?? ??:0
    #26 0x7f34af0961ea in rb_protect ??:?
    #27 0x7f34af0961ea in ?? ??:0
    #28 0xce1acf in ex_ruby /home/pel/sb/vim/src/if_ruby.c:720
    #29 0xce1acf in ?? ??:0
    #30 0x6cee79 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #31 0x6cee79 in ?? ??:0
    #32 0x6bde14 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #33 0x6bde14 in ?? ??:0
    #34 0xc35836 in call_user_func /home/pel/sb/vim/src/userfunc.c:942
    #35 0xc35836 in ?? ??:0
    #36 0xc325c1 in call_func /home/pel/sb/vim/src/userfunc.c:1427
(discriminator 1)
    #37 0xc325c1 in ?? ??:0
    #38 0xc3119d in get_func_tv /home/pel/sb/vim/src/userfunc.c:455
    #39 0xc3119d in ?? ??:0
    #40 0xc4521c in ex_call /home/pel/sb/vim/src/userfunc.c:3082
(discriminator 1)
    #41 0xc4521c in ?? ??:0
    #42 0x6cee79 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #43 0x6cee79 in ?? ??:0
    #44 0x6bde14 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #45 0x6bde14 in ?? ??:0
    #46 0x5fb131 in ex_execute /home/pel/sb/vim/src/eval.c:8369
    #47 0x5fb131 in ?? ??:0
    #48 0x6cee79 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #49 0x6cee79 in ?? ??:0
    #50 0x6bde14 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #51 0x6bde14 in ?? ??:0
    #52 0xc35836 in call_user_func /home/pel/sb/vim/src/userfunc.c:942
    #53 0xc35836 in ?? ??:0
    #54 0xc325c1 in call_func /home/pel/sb/vim/src/userfunc.c:1427
(discriminator 1)
    #55 0xc325c1 in ?? ??:0
    #56 0xc3119d in get_func_tv /home/pel/sb/vim/src/userfunc.c:455
    #57 0xc3119d in ?? ??:0
    #58 0xc4521c in ex_call /home/pel/sb/vim/src/userfunc.c:3082
(discriminator 1)
    #59 0xc4521c in ?? ??:0
    #60 0x6cee79 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #61 0x6cee79 in ?? ??:0
    #62 0x6bde14 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #63 0x6bde14 in ?? ??:0
    #64 0x6b4bbd in do_source /home/pel/sb/vim/src/ex_cmds2.c:4383
    #65 0x6b4bbd in ?? ??:0
    #66 0x6b2b9e in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:3996
    #67 0x6b2b9e in ?? ??:0
    #68 0x6b2d25 in ex_source /home/pel/sb/vim/src/ex_cmds2.c:3971
    #69 0x6b2d25 in ?? ??:0
    #70 0x6cee79 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #71 0x6cee79 in ?? ??:0
    #72 0x6bde14 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #73 0x6bde14 in ?? ??:0
    #74 0x6c1545 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:689
    #75 0x6c1545 in ?? ??:0
    #76 0xd3e8ad in exe_commands /home/pel/sb/vim/src/main.c:2968
    #77 0xd3e8ad in ?? ??:0
    #78 0xd3af30 in vim_main2 /home/pel/sb/vim/src/main.c:805
    #79 0xd3af30 in ?? ??:0
    #80 0xd334a7 in main /home/pel/sb/vim/src/main.c:419
    #81 0xd334a7 in ?? ??:0
    #82 0x7f34ae64682f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #83 0x7f34ae64682f in ?? ??:0
    #84 0x44ecb8 in _start ??:?
    #85 0x44ecb8 in ?? ??:0

Address 0x7fff38a7a0f6 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
(/home/pel/sb/vim/src/vim+0x4d3e30)
Shadow bytes around the buggy address:
  0x1000671473c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000671473d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000671473e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000671473f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100067147400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100067147410: 00 00 00 00 00 00 00 00 ca ca ca ca 00 00[06]cb
  0x100067147420: cb cb cb cb 00 00 00 00 00 00 00 00 00 00 00 00
  0x100067147430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100067147440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100067147450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100067147460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29048==ABORTING

Aborted (core dumped)

Attached patch fixes it by allocating 1 more
byte for the end of string.

Since it was not found by the asan Travis build, it means
that Travis does not test with the ruby interpreter.
Is this something we should add to Travis?

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

diff --git a/src/if_ruby.c b/src/if_ruby.c
index 02b59dd..d38ed2f 100644
--- a/src/if_ruby.c
+++ b/src/if_ruby.c
@@ -984,7 +984,7 @@ static VALUE vim_message(VALUE self UNUSED, VALUE str)
     if (RSTRING_LEN(str) > 0)
     {
 	/* Only do this when the string isn't empty, alloc(0) causes trouble. */
-	buff = ALLOCA_N(char, RSTRING_LEN(str));
+	buff = ALLOCA_N(char, RSTRING_LEN(str) + 1);
 	strcpy(buff, RSTRING_PTR(str));
 	p = strchr(buff, '\n');
 	if (p) *p = '\0';

[patch] fixed dynamic-stack-buffer-overflow with ruby interface

Raspunde prin e-mail lui