Ubuntu
ruby3.0 package

Segfaults in ruby 3.0.2

Bug #1982703 reported by agent 8131
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby3.0 (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
High
Utkarsh Gupta
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
========

The array.c functions rb_ary_slice_bang / ary_slice_bang_by_rb_ary_splice allow a length to be passed to rb_ary_new4 that is too long and which leads to an invalid memory access. This has been fixed in Kinetic (and forward) and isn't present in releases before Jammy. So Jammy is all that's left to fix.

[Test Plan]
===========

$ lxc launch images:ubuntu/jammy jtemp --vm
$ lxc shell jtemp
# apt update && apt install valgrind ruby3.0
# echo '(1..5000).to_a.slice!(-2, 5000)' > lp1982703.rb
# valgrind ruby lp1982703.rb |& tee lp1982703.valgrind
# grep "Invalid read of size 8" -A4 lp1982703.valgrind

You'll see:
```
==228628== Invalid read of size 8
==228628== at 0x48428C0: memmove (vg_replace_strmem.c:1271)
==228628== by 0x356542: ary_memcpy (array.c:316)
==228628== by 0x356542: rb_ary_tmp_new_from_values (array.c:785)
==228628== by 0x356542: rb_ary_new_from_values (array.c:795)
==228628== by 0x356542: ary_slice_bang_by_rb_ary_splice (array.c:4106)
==228628== by 0x35E1DB: rb_ary_slice_bang (array.c:4186)
```

and respective HEAP and LEAK SUMMARY.

[Where Problems Could Occur]
============================

The fix is a one-line, trivial patch which fixes the length calculation for Array#slice! by moving the respective check out of an if..elseif clause to its separate if clause - making sure it's checked always.

It's hard for things to go wrong further there because it was already resulting in an invalid memory access.

One thing that could go wrong is where people have made workarounds - for instance, instead of passing start, index values like Array#slice!(start, index), one would workaround this bug by changing that to Array#slice!(start..index). Even then, these things won't break because they're supposed to work irrespective but would be ideal to resort back to proper usage.

See original description

Related branches

~utkarsh/ubuntu/+source/ruby3.0:lp1982703-array-slice-invalid-memory-access
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 59 lines (+37/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-length-calc-for-Array#slice.patch (+29/-0)
debian/patches/series (+1/-0)

CVE References

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to report this bug and trying to make Ubuntu better.

This is affecting kinetic and jammy. In Jammy, we need a SRU and a backport of the fix is what we need. In Kinetic, I'll see what is the best approach but maybe we should merge version 3.0.4-7 from Debian unstable.

tags: added: server-todo
Changed in ruby3.0 (Ubuntu Jammy):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in ruby3.0 (Ubuntu Kinetic):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

This bug was fixed in the package ruby3.0 - 3.0.4-7

---------------
ruby3.0 (3.0.4-7) unstable; urgency=medium

  * Complete the patch to disable compaction on architectures where it can't work.

 -- Antonio Terceiro <email address hidden> Sun, 01 May 2022 09:56:20 -0300

ruby3.0 (3.0.4-6) unstable; urgency=medium

  * Exclude TestGCCompact on s390x

 -- Antonio Terceiro <email address hidden> Thu, 28 Apr 2022 10:56:40 -0300

ruby3.0 (3.0.4-5) unstable; urgency=medium

  * Fix disabling compaction on platforms that can't support it.
    The initial patch was incomplete, and actually broke every other
    architecture that was not ppc64el.

 -- Antonio Terceiro <email address hidden> Wed, 27 Apr 2022 15:15:03 -0300

ruby3.0 (3.0.4-4) unstable; urgency=medium

  * Disable GC compaction on platforms that can't support it.
    This should fix some crashes hapenning on ppc64el

 -- Antonio Terceiro <email address hidden> Wed, 27 Apr 2022 12:55:10 -0300

ruby3.0 (3.0.4-3) unstable; urgency=medium

  * ppc64el: exclude TestGCCompact tests as they segfault

 -- Antonio Terceiro <email address hidden> Sat, 23 Apr 2022 08:31:14 -0300

ruby3.0 (3.0.4-2) unstable; urgency=medium

  * Exclude test TestGemInstaller#test_ensure_no_race_conditions_between_installing_and_loading_gemspecs

 -- Antonio Terceiro <email address hidden> Fri, 22 Apr 2022 09:58:51 -0300

ruby3.0 (3.0.4-1) unstable; urgency=medium

  [ John Paul Adrian Glaubitz ]
  * Disable some tests on powerpc (Closes: #999349)
  * Disable some tests on alpha (Closes: #999444)
  * Fix filenames for glibc SO files on alpha and ia64
    (Closes: #1007925)

  [ Antonio Terceiro ]
  * New upstream version 3.0.4
  * Includes fixes for the following security issues:
    - CVE-2022-28739: Buffer overrun in String-to-Float conversion
      (Closes: #1009956)
    - CVE-2022-28738: Double free in Regexp compilation
      (Closes: #1009958)
  * Refresh patches.
    The fix in rand_init-fix-off-by-one-error.patch has been done upstream
    differently; drop the patch.
  * TestZlibGzipFile: skip test unsupported on overlay filesystems

 -- Antonio Terceiro <email address hidden> Thu, 21 Apr 2022 13:52:50 -0300

ruby3.0 (3.0.3-1) unstable; urgency=medium

  * New upstream version 3.0.3. Includes fixes for the following security
    issues (Closes: #1002995):
    - CVE-2021-41816: Buffer Overrun in CGI.escape_html
    - CVE-2021-41817: regular expression Denial of Service in Date.parse
    - CVE-2021-41819: mishandling of security prefixes in CGI::Cookie.parse
  * Refresh patches
  * autopkgtest: builtin-extensions: check openssl version
  * debian/libruby3.0.symbols: update
  * Fix generation of Provides:
  * Exclude some tests from TestGemServer

 -- Antonio Terceiro <email address hidden> Sun, 13 Mar 2022 21:02:08 -0300

Changed in ruby3.0 (Ubuntu):
status: New → Fix Released
Robie Basak (racb)
Changed in ruby3.0 (Ubuntu Jammy):
importance: Undecided → High
assignee: Lucas Kanashiro (lucaskanashiro) → nobody
Revision history for this message
agent 8131 (agent-8131) wrote :

Will this be a security update for Jammy?

Christian Ehrhardt  (paelzer)
Changed in ruby3.0 (Ubuntu Kinetic):
assignee: Lucas Kanashiro (lucaskanashiro) → nobody
Changed in ruby3.0 (Ubuntu Jammy):
assignee: nobody → Utkarsh Gupta (utkarsh)
status: New → Confirmed
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Okeydoke, so I've started to look at it. An initial look at it, tells me that it shouldn't be that tricky. I'll try to put together the upstream patch against the Jammy branch and spawn an MP up soon - not today or this week (I am off, sorry) but most certainly by next week.

TIA. Sorry for the delay until now. \o/

Utkarsh Gupta (utkarsh)
description: updated
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello agent, or anyone else affected,

Accepted ruby3.0 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ruby3.0 (Ubuntu Jammy):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Christian Ehrhardt  (paelzer) wrote (last edit ):

FYI I - I fixed a few steps in the testcase that I found while trying to use it.

FYI II - Test verified against Utkarshs PPA, works for me from there.

Waiting for the real builds so we can verify them (Utkarsh has kicked them to re-build as they are an FTBFS for nwo).

description: updated
description: updated
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ruby3.0/3.0.2-7ubuntu2.2)

All autopkgtests for the newly accepted ruby3.0 (3.0.2-7ubuntu2.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

ruby-stackprof/0.2.17-1ubuntu2 (amd64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#ruby3.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hellu!

Testing the package in -proposed according to the test plan:

$ lxc launch images:ubuntu/jammy jtemp --vm
$ lxc shell jtemp
# apt update && apt install valgrind ruby3.0
# apt show ruby3.0 | grep Version
  >> Version: 3.0.2-7ubuntu2.1
# echo '(1..5000).to_a.slice!(-2, 5000)' > lp1982703.rb
# valgrind ruby lp1982703.rb |& tee lp1982703.valgrind
# grep "Invalid read of size 8" -A4 lp1982703.valgrind

You'll see:
```
==228628== Invalid read of size 8
==228628== at 0x48428C0: memmove (vg_replace_strmem.c:1271)
==228628== by 0x356542: ary_memcpy (array.c:316)
==228628== by 0x356542: rb_ary_tmp_new_from_values (array.c:785)
==228628== by 0x356542: rb_ary_new_from_values (array.c:795)
==228628== by 0x356542: ary_slice_bang_by_rb_ary_splice (array.c:4106)
==228628== by 0x35E1DB: rb_ary_slice_bang (array.c:4186)

### Enable -proposed
# apt show ruby3.0 | grep Version
  >> Version: 3.0.2-7ubuntu2.2
# echo '(1..5000).to_a.slice!(-2, 5000)' > lp1982703.rb
# valgrind ruby lp1982703.rb |& tee lp1982703.valgrind
# grep "Invalid read of size 8" -A4 lp1982703.valgrind
# echo $?
1

Therefore all good, the fix works as expected! \o/

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby3.0 - 3.0.2-7ubuntu2.2

---------------
ruby3.0 (3.0.2-7ubuntu2.2) jammy; urgency=medium

  * d/p/fix-length-calc-for-Array#slice.patch: Add patch to
    fix length calculation for Array#slice!. (LP: #1982703)

 -- Utkarsh Gupta <email address hidden> Mon, 14 Nov 2022 17:21:06 +0530

Changed in ruby3.0 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ruby3.0 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.