ruby-changes:57282
From: usa <ko1@a...>
Date: Tue, 27 Aug 2019 01:09:30 +0900 (JST)
Subject: [ruby-changes:57282] usa: b49b1d76d1 (ruby_2_5): merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
https://git.ruby-lang.org/ruby.git/commit/?id=b49b1d76d1 From b49b1d76d116c4262819a86ca51cb6df19304b9f Mon Sep 17 00:00:00 2001 From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> Date: Mon, 26 Aug 2019 16:09:14 +0000 Subject: merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934] String#b: Don't depend on dependent string Registering a string that depend on a dependent string as fstring can lead to use-after-free. See c06ddfe and 3f95620 for details. The following script triggers use-after-free on trunk, 2.4.6, 2.5.5 and 2.6.3. Credits to @wanabe for using eval as a cross-version way of registering a fstring. ```ruby a = ('j' * 24).b.b eval('', binding, a) p a 4.times { GC.start } p a ``` - string.c (str_replace_shared_without_enc): when given a dependent string, depend on the root of the dependent string. [Bug #15934] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e diff --git a/string.c b/string.c index 09fe2a3..9a81cef 100644 --- a/string.c +++ b/string.c @@ -1127,12 +1127,26 @@ str_replace_shared_without_enc(VALUE str2, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L1127 TERM_FILL(ptr2+len, termlen); } else { - str = rb_str_new_frozen(str); + VALUE root; + if (STR_SHARED_P(str)) { + root = RSTRING(str)->as.heap.aux.shared; + RSTRING_GETMEM(str, ptr, len); + } + else { + root = rb_str_new_frozen(str); + RSTRING_GETMEM(root, ptr, len); + } + if (!STR_EMBED_P(str2) && !FL_TEST_RAW(str2, STR_SHARED|STR_NOFREE)) { + /* TODO: check if str2 is a shared root */ + char *ptr2 = STR_HEAP_PTR(str2); + if (ptr2 != ptr) { + ruby_sized_xfree(ptr2, STR_HEAP_SIZE(str2)); + } + } FL_SET(str2, STR_NOEMBED); - RSTRING_GETMEM(str, ptr, len); RSTRING(str2)->as.heap.len = len; RSTRING(str2)->as.heap.ptr = ptr; - STR_SET_SHARED(str2, str); + STR_SET_SHARED(str2, root); } return str2; } diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index d4303e8..ae5b22c 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2930,6 +2930,14 @@ CODE https://github.com/ruby/ruby/blob/trunk/test/ruby/test_string.rb#L2930 assert_equal(('a' * 24), a, '[Bug #15792]') end + def test_nesting_shared_b + a = ('j' * 24).b.b + eval('', binding, a) + assert_equal(('j' * 24), a) + 4.times { GC.start } + assert_equal(('j' * 24), a, '[Bug #15934]') + end + def test_shared_force_encoding s = "\u{3066}\u{3059}\u{3068}".gsub(//, '') h = {} diff --git a/version.h b/version.h index 8d09ff8..7c3dd1b 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/version.h#L1 #define RUBY_VERSION "2.5.6" #define RUBY_RELEASE_DATE "2019-08-27" -#define RUBY_PATCHLEVEL 185 +#define RUBY_PATCHLEVEL 186 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 8 -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/