Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1470925

Summary: There is a heap-buffer-overflow in parse_ref() in bison.
Product: Red Hat Enterprise Linux 8 Reporter: owl337 <v.owl337>
Component: bisonAssignee: Arjun Shankar <ashankar>
Status: CLOSED UPSTREAM QA Contact: Edjunior Barbosa Machado <emachado>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.1CC: codonell, emachado, law, mnewsome, v.owl337
Target Milestone: pre-dev-freezeKeywords: Reopened
Target Release: 8.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-08 15:37:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./bison $POC" none

Description owl337 2017-07-14 02:44:52 UTC 
Description of problem:

The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC2

Steps to Reproduce:

The information is as follows:

$./bison POC2
 
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{’?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:£{	
     ^
Segmentation fault

The ASAN debugging  information is as follows:

$./bison POC2
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{?ˉ?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:?{	
     ^
=================================================================
==52395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d634 at pc 0x000000579aa9 bp 0x7ffda0f6e010 sp 0x7ffda0f6e008
READ of size 1 at 0x60400000d634 thread T0
    #0 0x579aa8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579aa8)
    #1 0x576498  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x576498)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #4 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #5 0x7fc68f1d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60400000d634 is located 0 bytes to the right of 36-byte region [0x60400000d610,0x60400000d634)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c087fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9ac0: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fd
  0x0c087fff9ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9af0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c087fff9b00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9b10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52395==ABORTING


The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.

415 /* Parse named or positional reference. In case of positional
416    references, can return negative values for $-n "deep" stack
417    accesses. */
418 static long int
419 parse_ref (char *cp, symbol_list *rule, int rule_length,
420            int midrule_rhs_index, char *text, location text_loc,
421            char dollar_or_at)
422 {
 ...
445 
446   if ('[' == *cp)
447     {
448       /* Ignore the brackets. */
449       char *p;
450       for (p = ++cp; *p != ']'; ++p)
451         continue;
452       cp_end = p;
453 
454       explicit_bracketing = true;
455     }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 9 Arjun Shankar 2018-11-21 15:24:15 UTC 
Dear OWL337 Team,

Thank you for filing this report.

Unfortunately, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. I was wondering if you have a copy available.

Cheers!
Comment 12 Arjun Shankar 2020-01-08 15:37:24 UTC 
Dear OWL337 Team,

Thank you for filing this report.

Like I wrote in my earlier comment, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. If you have a copy available, please attach and report this upstream, or again here on RH bugzilla.

Cheers!
Comment 13 Red Hat Bugzilla 2023-11-16 04:25:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days