[ruby-core:124270] [Ruby Bug#21787] `IO::Buffer` buffer overf
Issue #21787 has been reported by nobu (Nobuyoshi Nakada). ---------------------------------------- Bug #21787: `IO::Buffer` buffer overf https://bugs.ruby-lang.org/issues/21787 * Author: nobu (Nobuyoshi Nakada) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- -- https://bugs.ruby-lang.org/
Issue #21787 has been updated by nobu (Nobuyoshi Nakada). Subject changed from `IO::Buffer` buffer overf to `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED From: https://hackerone.com/reports/3437743 The `IO::Buffer` implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The `io_buffer_validate_range` function assumes that `offset+length` never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows. Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code. https://hackerone.com/reports/3437743#activity-38521790
We decided to fix this as a regular bug since `IO::Buffer` is experimental.
---------------------------------------- Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access https://bugs.ruby-lang.org/issues/21787#change-115764 * Author: nobu (Nobuyoshi Nakada) * Status: Open * Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED ---------------------------------------- -- https://bugs.ruby-lang.org/
Issue #21787 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONE ruby_3_4 commit:45100545b056792fb5701a93abd1f78259a6224e merged revision(s) commit:f430fbbfacea5690d790dd9060ca4118431fc2fb, commit:c353b625297162024b5a80480664e599dd49a294. ---------------------------------------- Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access https://bugs.ruby-lang.org/issues/21787#change-116203 * Author: nobu (Nobuyoshi Nakada) * Status: Closed * Backport: 3.2: REQUIRED, 3.3: REQUIRED, 3.4: DONE ---------------------------------------- From: https://hackerone.com/reports/3437743 The `IO::Buffer` implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The `io_buffer_validate_range` function assumes that `offset+length` never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows. Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code. https://hackerone.com/reports/3437743#activity-38521790
We decided to fix this as a regular bug since `IO::Buffer` is experimental.
https://github.com/ruby/ruby/pull/15599 -- https://bugs.ruby-lang.org/
Issue #21787 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.2: WONTFIX, 3.3: REQUIRED, 3.4: DONE, 4.0: REQUIRED to 3.2: WONTFIX, 3.3: REQUIRED, 3.4: DONE, 4.0: DONE ruby_4_0 already contains commit:c353b625297162024b5a80480664e599dd49a294 and commit:f430fbbfacea5690d790dd9060ca4118431fc2fb. ---------------------------------------- Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access https://bugs.ruby-lang.org/issues/21787#change-116924 * Author: nobu (Nobuyoshi Nakada) * Status: Closed * Backport: 3.2: WONTFIX, 3.3: REQUIRED, 3.4: DONE, 4.0: DONE ---------------------------------------- From: https://hackerone.com/reports/3437743 The `IO::Buffer` implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The `io_buffer_validate_range` function assumes that `offset+length` never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows. Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code. https://hackerone.com/reports/3437743#activity-38521790
We decided to fix this as a regular bug since `IO::Buffer` is experimental.
https://github.com/ruby/ruby/pull/15599 -- https://bugs.ruby-lang.org/
participants (3)
-
k0kubun (Takashi Kokubun) -
nagachika (Tomoyuki Chikanaga)
-
nobu (Nobuyoshi Nakada)