Bug 1470917

Summary: There is a heap-buffer-overflow in bison.
Product: Red Hat Enterprise Linux 8 Reporter: owl337 <v.owl337>
Component: bisonAssignee: Arjun Shankar <ashankar>
Status: CLOSED WONTFIX QA Contact: Edjunior Barbosa Machado <emachado>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.1CC: codonell, emachado, law, mnewsome
Target Milestone: pre-dev-freezeKeywords: Reopened, Triaged
Target Release: 8.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-27 16:46:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./bison $POC" none

Description owl337 2017-07-14 01:59:15 UTC 
Created attachment 1298063 [details]
Triggered by  "./bison $POC"

Description of problem:

The vulnerability was triggered in function fetch_type_name () at src/scan-code.l:609.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC1

Steps to Reproduce:

The information is as follows:

$./bison POC1
 
POC1: error: symbol p is used, but is not defined as a token and has no rules
 %%D:p{?ˉ?:p{$}D->S:}D%%h:{ 
     ^
Segmentation fault

The ASAN debugging  information is as follows:

POC1: error: symbol p is used, but is not defined as a token and has no rules
 %%D:p{’?:p{$}D->S:}D%%h:{ 
     ^
=================================================================
==51695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e664 at pc 0x000000579372 bp 0x7ffc4a0cc990 sp 0x7ffc4a0cc988
READ of size 1 at 0x60300000e664 thread T0
    #0 0x579371  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579371)
    #1 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #2 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #4 0x7faf5c0ababf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #5 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60300000e664 is located 0 bytes to the right of 20-byte region [0x60300000e650,0x60300000e664)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c067fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9cc0: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa
  0x0c067fff9cd0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fff9ce0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9cf0: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
  0x0c067fff9d00: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c067fff9d10: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==51695==ABORTING


The vulnerability was triggered in function fetch_type_name () at src/scan-code.l:609

599 static
600 char *
601 fetch_type_name (char *cp, char const **type_name,
602                  location dollar_loc)
603 {
604   if (*cp == '<')
605     {
606       *type_name = ++cp;
607       /* Series of non-'>' or "->".  */
608       while (*cp != '>' || cp[-1] == '-')
609         ++cp;
610 
611       /* The '>' symbol will be later replaced by '\0'. Original
612          'text' is needed for error messages. */
613       ++cp;
614       if (untyped_var_seen)
615         complain (&dollar_loc, complaint,
616                   _("explicit type given in untyped grammar"));
617       tag_seen = true;
618     }
619   return cp;
620 }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 10 Arjun Shankar 2020-07-23 11:34:14 UTC 
I recently rebased bison to 3.6.4 on Rawhide, and tested for this crash on Fedora 32 and Rawhide:
bison-3.5-2.fc32 segfaults
bison-3.6.4-1.fc33 correctly reports an error and exits

This is no more reproducible in bison-3.6.4, which is in Fedora/Rawhide.

Several crashes were reported upstream in March 2020 and fixed prior to release:
https://lists.gnu.org/r/bug-bison/2020-03/threads.html

Considering that this input is generated by a fuzzer and that bison is a development tool,
I'd say that having this fixed in Rawhide is good enough.
Comment 11 Arjun Shankar 2020-07-23 15:24:51 UTC 
So I bisected for this and it appears that it was fixed by the following commit:

commit 641e326303753575664ca146fee7e9148d6bf5cf
Author: Akim Demaille <address@hidden>
Date:   Fri Mar 6 09:05:52 2020 +0100

    code: be robust to reference with invalid tags
    
    Because we want to support $<a->b>$, we must accept -> in type tags,
    and reject $<->$, as it is unfinished.
    Reported by Ahcheong Lee.
    
    * src/scan-code.l (yylex): Make sure "tag" does not end with -, since
    -> does not close the tag.
    * tests/input.at (Stray $ or @): Check this.

This fix was the result of the following upstream bug report by Ahcheong Lee:
https://lists.gnu.org/r/bug-bison/2020-03/msg00009.html

That SIGSEGV was also the finding of a (different) fuzzer but the input is
quite different.

Ahcheong made multiple reports in March 2020 and if I understand correctly,
CVE-2020-14150 was assigned to one/more of of these reports.
Comment 12 Arjun Shankar 2020-07-27 16:46:27 UTC 
Thank you for filing this report.

This bug is now fixed in Fedora Rawhide and will eventually make it to a future
release of RHEL.

Since this is a crash induced by fuzzed input (in the form of code) and the input
causes bison itself to crash and isn't a security flaw in generated code itself,
it is not likely to impact a running service.

Considering the above, we do not plan to fix this in an update to RHEL-8.

Please re-open this bug and associate a customer ticket to revisit this decision.