Bug 1470925
| Summary: | There is a heap-buffer-overflow in parse_ref() in bison. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | owl337 <v.owl337> | ||||
| Component: | bison | Assignee: | Arjun Shankar <ashankar> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Edjunior Barbosa Machado <emachado> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.1 | CC: | codonell, emachado, law, mnewsome, v.owl337 | ||||
| Target Milestone: | pre-dev-freeze | Keywords: | Reopened | ||||
| Target Release: | 8.1 | Flags: | ashankar:
needinfo?
(v.owl337) |
||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-01-08 15:37:24 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Dear OWL337 Team, Thank you for filing this report. Unfortunately, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. I was wondering if you have a copy available. Cheers! Dear OWL337 Team, Thank you for filing this report. Like I wrote in my earlier comment, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. If you have a copy available, please attach and report this upstream, or again here on RH bugzilla. Cheers! |
Description of problem: The vulnerability was triggered in function parse_ref() at src/scan-code.l:450. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./bison POC2 Steps to Reproduce: The information is as follows: $./bison POC2 id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules %%D:S{’?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:£{ ^ Segmentation fault The ASAN debugging information is as follows: $./bison POC2 id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules %%D:S{?ˉ?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:?{ ^ ================================================================= ==52395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d634 at pc 0x000000579aa9 bp 0x7ffda0f6e010 sp 0x7ffda0f6e008 READ of size 1 at 0x60400000d634 thread T0 #0 0x579aa8 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579aa8) #1 0x576498 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x576498) #2 0x570ae0 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0) #3 0x563e96 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96) #4 0x51a2c6 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6) #5 0x7fc68f1d4abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #6 0x43ced8 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8) 0x60400000d634 is located 0 bytes to the right of 36-byte region [0x60400000d610,0x60400000d634) allocated by thread T0 here: #0 0x4c3ea2 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2) #1 0x56fb7c (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c) #2 0x570ae0 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0) #3 0x51a2c6 (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6) Shadow bytes around the buggy address: 0x0c087fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c087fff9ac0: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fd 0x0c087fff9ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c087fff9ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9af0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06 0x0c087fff9b00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9b10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==52395==ABORTING The vulnerability was triggered in function parse_ref() at src/scan-code.l:450. 415 /* Parse named or positional reference. In case of positional 416 references, can return negative values for $-n "deep" stack 417 accesses. */ 418 static long int 419 parse_ref (char *cp, symbol_list *rule, int rule_length, 420 int midrule_rhs_index, char *text, location text_loc, 421 char dollar_or_at) 422 { ... 445 446 if ('[' == *cp) 447 { 448 /* Ignore the brackets. */ 449 char *p; 450 for (p = ++cp; *p != ']'; ++p) 451 continue; 452 cp_end = p; 453 454 explicit_bracketing = true; 455 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.