From 93faa011d393bb4b5cf31a0cbb46922f0a5e7cdc Mon Sep 17 00:00:00 2001
From: Alan Wu <XrXr@users.noreply.github.com>
Date: Sun, 22 Sep 2019 15:36:00 -0400
Subject: Tag string shared roots to fix use-after-free

The buffer deduplication codepath in rb_fstring can be used to free the buffer
of shared string roots, which leads to use-after-free.

Introudce a new flag to tag strings that at one point have been a shared root.
Check for it in rb_fstring to avoid freeing buffers that are shared by
multiple strings. This change is based on nobu's idea in [ruby-core:94838].

The included test case test for the sequence of calls to internal functions
that lead to this bug. See attached ticket for Ruby level repros.

[Bug #16151]
---
 test/-ext-/string/test_fstring.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'test/-ext-')

diff --git a/test/-ext-/string/test_fstring.rb b/test/-ext-/string/test_fstring.rb
index 8612b5d710..9a54f6bfcc 100644
--- a/test/-ext-/string/test_fstring.rb
+++ b/test/-ext-/string/test_fstring.rb
@@ -71,4 +71,13 @@ class Test_String_Fstring < Test::Unit::TestCase
     str.freeze
     assert_fstring(str) {|s| assert_instance_of(S, s)}
   end
+
+  def test_shared_string_safety
+    -('a' * 30).force_encoding(Encoding::ASCII)
+    str = ('a' * 30).force_encoding(Encoding::ASCII).taint
+    frozen_str = Bug::String.rb_str_new_frozen(str)
+    assert_fstring(frozen_str) {|s| assert_equal(str, s)}
+    GC.start
+    assert_equal('a' * 30, str, "[Bug #16151]")
+  end
 end
-- 
cgit v1.2.3