diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-09-27 11:23:18 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-09-27 11:23:18 +0000 |
| commit | 641e3843419b7a6587c0d5a0562c022c97d31af1 (patch) | |
| tree | e2a7387237310cd421924c362042ff81192e2bb1 /test/-ext- | |
| parent | a165a066e8f976a79256188c53e0e60f11c98607 (diff) | |
merge revision(s) 93faa011d393bb4b5cf31a0cbb46922f0a5e7cdc: [Backport #16151]
Tag string shared roots to fix use-after-free
The buffer deduplication codepath in rb_fstring can be used to free the buffer
of shared string roots, which leads to use-after-free.
Introudce a new flag to tag strings that at one point have been a shared root.
Check for it in rb_fstring to avoid freeing buffers that are shared by
multiple strings. This change is based on nobu's idea in [ruby-core:94838].
The included test case test for the sequence of calls to internal functions
that lead to this bug. See attached ticket for Ruby level repros.
[Bug #16151]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67804 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/-ext-')
| -rw-r--r-- | test/-ext-/string/test_fstring.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/test/-ext-/string/test_fstring.rb b/test/-ext-/string/test_fstring.rb index 1b3b15c922..8b9eca891d 100644 --- a/test/-ext-/string/test_fstring.rb +++ b/test/-ext-/string/test_fstring.rb @@ -71,4 +71,13 @@ class Test_String_Fstring < Test::Unit::TestCase str.freeze assert_fstring(str) {|s| assert_instance_of(S, s)} end + + def test_shared_string_safety + -('a' * 30).force_encoding(Encoding::ASCII) + str = ('a' * 30).force_encoding(Encoding::ASCII).taint + frozen_str = Bug::String.rb_str_new_frozen(str) + assert_fstring(frozen_str) {|s| assert_equal(str, s)} + GC.start + assert_equal('a' * 30, str, "[Bug #16151]") + end end |