You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The [_RunSelectOnce](void EventMachine_t::_RunSelectOnce%28%29) function crashes the whole Ruby VM when it hits FDs over FD_SETSIZE. In my case, a too-high fd becomes available for reading. The fdreads and fdwrites sets overlap, so when fd N is available for reading, EM thinks that fd N-1024 is available for writing. The descriptor in question is a server socket (AcceptorDescriptor), which throws in its Write function. Down comes the VM.
It appears I can fix this with a simple EM.epoll, so it's not urgent for me. But it would be nice to have assert(fd < FD_SETSIZE) before each call to FD_SEThere. Then at least the crashes would be straightforward and in the right place.
It's also possible, at least on Linux, to mallocfd_sets with more than FD_SETSIZE bits in them. So instead of crashing when fd >= FD_SETSIZE, just realloc.
I'm happy to write and PR either solution.
The text was updated successfully, but these errors were encountered:
Theoretically, this is a remote-exploitable defect. 💣 💥
SelectData is a local variable in _RunSelectOnce, so overflows in fdreads can escape up into the stack frame. By manipulating when FDs above 1024*3 are readable, an attacker can put arbitrary bits in the stack frame.
The [_RunSelectOnce](void EventMachine_t::_RunSelectOnce%28%29) function crashes the whole Ruby VM when it hits FDs over FD_SETSIZE. In my case, a too-high fd becomes available for reading. The
fdreads
andfdwrites
sets overlap, so when fd N is available for reading, EM thinks that fd N-1024 is available for writing. The descriptor in question is a server socket (AcceptorDescriptor), whichthrow
s in its Write function. Down comes the VM.It appears I can fix this with a simple
EM.epoll
, so it's not urgent for me. But it would be nice to haveassert(fd < FD_SETSIZE)
before each call toFD_SET
here. Then at least the crashes would be straightforward and in the right place.It's also possible, at least on Linux, to
malloc
fd_set
s with more thanFD_SETSIZE
bits in them. So instead of crashing whenfd >= FD_SETSIZE
, justrealloc
.I'm happy to write and PR either solution.
The text was updated successfully, but these errors were encountered: