Bug 1649150

Summary: There is a heap-buffer-overflow at lalr.c:256(funciton: build_relations) in bison3.0.5.
Product: Red Hat Enterprise Linux 8 Reporter: shuitao gan <ganshuitao>
Component: bisonAssignee: Arjun Shankar <ashankar>
Status: CLOSED WONTFIX QA Contact: qe-baseos-tools-bugs
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.2CC: ashankar, codonell, emachado
Target Milestone: rcKeywords: Patch, Reopened, Triaged
Target Release: 8.2   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 21:20:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
./bison POC0 none

Description shuitao gan 2018-11-13 03:04:12 UTC 
Created attachment 1505086 [details]
./bison POC0

version: bison3.0.5
Summary: 

There is a heap-buffer-overflow at lalr.c:256 build_relations in bison. 

Description:

The asan debug is as follows:

$./bison POC0

=================================================================
==4827==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e6a0 at pc 0x00000041b67d bp 0x7ffe9b5119f0 sp 
0x7ffe9b5119e0
WRITE of size 8 at 0x60200000e6a0 thread T0
    #0 0x41b67c in build_relations src/lalr.c:256
    #1 0x41b67c in lalr src/lalr.c:446
    #2 0x4227cf in ielr src/ielr.c:1117
    #3 0x4038b7 in main src/main.c:121
    #4 0x7fd9f5dbaa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #5 0x404428 in _start (/home/company/real_sanitize/poc_check/bison/bison+0x404428)

0x60200000e6a0 is located 0 bytes to the right of 16-byte region [0x60200000e690,0x60200000e6a0)
allocated by thread T0 here:
    #0 0x7fd9f61fc9aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x47be98 in xmalloc lib/xmalloc.c:41

SUMMARY: AddressSanitizer: heap-buffer-overflow src/lalr.c:256 build_relations
Shadow bytes around the buggy address:
  0x0c047fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cb0: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9cc0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
=>0x0c047fff9cd0: fa fa 00 00[fa]fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9ce0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa fd fd
  0x0c047fff9cf0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9d00: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa fd fd
  0x0c047fff9d10: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa 00 fa
  0x0c047fff9d20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 02 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4827==ABORTING
Comment 5 RHEL Program Management 2019-06-13 19:39:36 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Comment 6 Carlos O'Donell 2019-06-13 19:40:29 UTC 
Sorry, this bug should remain open for triage. Reopening.
Comment 9 Arjun Shankar 2019-06-19 14:29:16 UTC 
Red Hat Enterprise Linux 7 is entering Maintenance Support 1 phase and
as such only Urgent priority bug fixes will be considered. Given that
this issue is not urgent and applies only to fuzzed inputs, we have
decided not to fix this in RHEL 7.

However, we will consider fixing this in RHEL 8.
Comment 13 Arjun Shankar 2020-08-04 21:20:57 UTC 
This still looks good on bison-3.5 (f32) and bison-3.6.4 (rawhide).

Thanks for filing this report!

This bug is now fixed in Fedora Rawhide and will eventually make it to a future
major version of RHEL.

Since this is a crash induced by fuzzed input (in the form of code) and the input
causes bison itself to crash and isn't a security flaw in generated code itself,
it is not likely to impact a running service.

Considering the above, we do not plan to fix this in an update to RHEL-8.

Please re-open this bug and associate a customer ticket to revisit this decision.