EM select loop crashes when fd >= FD_SETSIZE

[piki]

The [_RunSelectOnce](void EventMachine_t::_RunSelectOnce%28%29) function crashes the whole Ruby VM when it hits FDs over FD_SETSIZE. In my case, a too-high fd becomes available for reading. The fdreads and fdwrites sets overlap, so when fd N is available for reading, EM thinks that fd N-1024 is available for writing. The descriptor in question is a server socket (AcceptorDescriptor), which throws in its Write function. Down comes the VM.

It appears I can fix this with a simple EM.epoll, so it's not urgent for me. But it would be nice to have assert(fd < FD_SETSIZE) before each call to FD_SET here. Then at least the crashes would be straightforward and in the right place.

It's also possible, at least on Linux, to malloc fd_sets with more than FD_SETSIZE bits in them. So instead of crashing when fd >= FD_SETSIZE, just realloc.

I'm happy to write and PR either solution.

[piki]

Theoretically, this is a remote-exploitable defect. 💣 💥

SelectData is a local variable in _RunSelectOnce, so overflows in fdreads can escape up into the stack frame. By manipulating when FDs above 1024*3 are readable, an attacker can put arbitrary bits in the stack frame.

[tmm1]

We can use rb_fdset_t in newer rubies to handle dynamic sizing for us. See https://github.com/redis/hiredis-rb/pull/18/files as an example

[piki]

What do you want to do about older Rubies?