Bug 1470917 - There is a heap-buffer-overflow in bison.
There is a heap-buffer-overflow in bison.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bison (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Patsy Franklin
qe-baseos-tools
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 21:59 EDT by owl337
Modified: 2017-08-07 10:01 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 10:28:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./bison $POC" (275 bytes, application/x-rar)
2017-07-13 21:59 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-13 21:59:15 EDT
Created attachment 1298063 [details]
Triggered by  "./bison $POC"

Description of problem:

The vulnerability was triggered in function fetch_type_name () at src/scan-code.l:609.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC1

Steps to Reproduce:

The information is as follows:

$./bison POC1
 
POC1: error: symbol p is used, but is not defined as a token and has no rules
 %%D:p{?ˉ?:p{$}D->S:}D%%h:{ 
     ^
Segmentation fault

The ASAN debugging  information is as follows:

POC1: error: symbol p is used, but is not defined as a token and has no rules
 %%D:p{’?:p{$}D->S:}D%%h:{ 
     ^
=================================================================
==51695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e664 at pc 0x000000579372 bp 0x7ffc4a0cc990 sp 0x7ffc4a0cc988
READ of size 1 at 0x60300000e664 thread T0
    #0 0x579371  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579371)
    #1 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #2 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #4 0x7faf5c0ababf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #5 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60300000e664 is located 0 bytes to the right of 20-byte region [0x60300000e650,0x60300000e664)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c067fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9cc0: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa
  0x0c067fff9cd0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fff9ce0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9cf0: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
  0x0c067fff9d00: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c067fff9d10: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==51695==ABORTING


The vulnerability was triggered in function fetch_type_name () at src/scan-code.l:609

599 static
600 char *
601 fetch_type_name (char *cp, char const **type_name,
602                  location dollar_loc)
603 {
604   if (*cp == '<')
605     {
606       *type_name = ++cp;
607       /* Series of non-'>' or "->".  */
608       while (*cp != '>' || cp[-1] == '-')
609         ++cp;
610 
611       /* The '>' symbol will be later replaced by '\0'. Original
612          'text' is needed for error messages. */
613       ++cp;
614       if (untyped_var_seen)
615         complain (&dollar_loc, complaint,
616                   _("explicit type given in untyped grammar"));
617       tag_seen = true;
618     }
619   return cp;
620 }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Note You need to log in before you can comment on or make changes to this bug.