diff options
| author | Peter Zhu <[email protected]> | 2024-11-27 13:57:35 -0500 |
|---|---|---|
| committer | Peter Zhu <[email protected]> | 2024-11-27 14:36:50 -0500 |
| commit | 7dd2afbe3a14d021e5554288517709f5778c3d58 (patch) | |
| tree | b12b8f848c6d1eebbb7f2a1e837e678397abe3fe /addr2line.c | |
| parent | 34a43d59721bfc492d133875e43664039bf8900e (diff) | |
Fix global-buffer-overflow when outputting C backtrace
fill_lines is passed -1 for offset, which causes it to read the -1 index
of traces. This is not valid memory as -1 is reading before the trace
global variable in rb_print_backtrace. This code comes from commit
99d1f5f88b9b6de3124e31019902f91e030d334f, where there used to be special
handling for the -1 index.
We can see this error in ASAN:
==71037==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010157abf8 at pc 0x00010116f3b8 bp 0x00016f92c3b0 sp 0x00016f92c3a8
READ of size 8 at 0x00010157abf8 thread T0
#0 0x10116f3b4 in debug_info_read addr2line.c:1945
#1 0x10116cc90 in fill_lines addr2line.c:2497
#2 0x101169dbc in rb_dump_backtrace_with_lines addr2line.c:2635
#3 0x100e56788 in rb_print_backtrace vm_dump.c:825
#4 0x100e56db4 in rb_vm_bugreport vm_dump.c:1155
#5 0x100734dc4 in rb_bug_without_die error.c:1085
#6 0x100734ae4 in rb_bug error.c:109
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/12185
Diffstat (limited to 'addr2line.c')
| -rw-r--r-- | addr2line.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/addr2line.c b/addr2line.c index f225d8d293..4f5509e567 100644 --- a/addr2line.c +++ b/addr2line.c @@ -2632,7 +2632,7 @@ rb_dump_backtrace_with_lines(int num_traces, void **traces, FILE *errout) memcpy(main_path, binary_filename, len+1); append_obj(&obj); obj->path = main_path; - addr = fill_lines(num_traces, traces, 1, &obj, lines, -1, errout); + addr = fill_lines(num_traces, traces, 1, &obj, lines, 0, errout); if (addr != (uintptr_t)-1) { dladdr_fbases[0] = (void *)addr; } |