[BUG] Fatal recycling of SystemStackErrors

[Florian Gross]

Moin!

In Ruby 1.8.0 old SystemStackErrors seem to be reused when
there should have been raised a new one instead:

irb(main):001:0> y = proc { y.call }; y.call rescue nil
=> nil
irb(main):002:0> eval 'z = proc { z.call }; z.call'
SystemStackError: (irb):1:in `irb_binding': stack level too deep

This can cause serious problems when you're running multiple Threads
with different levels of safeness, because of fatal exceptions. This
code snippet:

2.times {
begin
Thread.new {
$SAFE = 4 # error isn't caused on lower $SAFE levels
r = proc { r.call }; r.call # create a SystemStackError
}.value
rescue Exception => error; end
p error
}

produces this output for me:

nil
#<fatal: exception reentered>

I'm using ruby 1.8.0 (2003-08-04) [i386-mswin32] and the errors also
occur with linux releases of ruby 1.8.0.

I haven't been able to run the above test code on an 1.6.8 release yet,
so the bug might have been introduced only recently.

That fatal exception is a show stopper for me because my application is
instantly killed by it and because weirdly I'm not able to rescue it in
the context where it happens.

Regards,
Florian Gross

 

[Yukihiro Matsumoto]

Hi,

In message "[BUG] Fatal recycling of SystemStackErrors"

|In Ruby 1.8.0 old SystemStackErrors seem to be reused when
|there should have been raised a new one instead:

Thank you for the report. I will fix this soon, but the
SystemStackError object will remain reused.

The SystemStackError object was reused because when the error happened
stack region may be too short to create new instance.

matz.

 

[Florian Gross]

Hi,
Moin!

Thank you for the report. I will fix this soon, but the
SystemStackError object will remain reused.

First of all: Thanks for fixing this so fast!

I think your fix might introduce a new security hole in this rare case:

An attacker in a safe environment causes the first SystemStackError of
your application to happen and rescues it into a variable. He then does
this:

def error.inspect
puts "Gotcha!"
end

Later in your application code outside of the safe environment another
SystemStackError occurs (the attacker can't cause this which means that
this whole condition is quite rare) and the malicious inspect-method of
the SystemStackError is called.

I think that this can be fixed by also freezing the globally stored
system stack error:

--- old/ruby/eval.c Fri Oct 31 21:24:47 2003
+++ new/ruby/eval.c Fri Oct 31 21:29:15 2003
@@ -7736,6 +7736,7 @@ Init_Proc()
rb_eSysStackError = rb_define_class("SystemStackError",
rb_eStandardError);
sysstack_error = rb_exc_new2(rb_eSysStackError, "stack level too
deep");
OBJ_TAINT(sysstack_error);
+ OBJ_FREEZE(sysstack_error);
rb_global_variable(&sysstack_error);

rb_cProc = rb_define_class("Proc", rb_cObject);


Regards,
Florian Gross