Project

General

Profile

Actions
Copy link

Bug #21787

closed

`IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access

Bug #21787: `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access

Added by nobu (Nobuyoshi Nakada) 6 days ago. Updated 6 days ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED
[ruby-core:124270]

Description

From: https://hackerone.com/reports/3437743

The IO::Buffer implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The io_buffer_validate_range function assumes that offset+length never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows.
Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code.

https://hackerone.com/reports/3437743#activity-38521790

We decided to fix this as a regular bug since IO::Buffer is experimental.

https://github.com/ruby/ruby/pull/15599

Actions
Copy link

Also available in: PDF Atom