Bug 1470925 - There is a heap-buffer-overflow in parse_ref() in bison.
There is a heap-buffer-overflow in parse_ref() in bison.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bison (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Patsy Franklin
qe-baseos-tools
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 22:44 EDT by owl337
Modified: 2017-08-07 10:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 10:35:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./bison $POC" (deleted)
2017-07-13 22:44 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-13 22:44:52 EDT
Description of problem:

The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC2

Steps to Reproduce:

The information is as follows:

$./bison POC2
 
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{’?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:£{	
     ^
Segmentation fault

The ASAN debugging  information is as follows:

$./bison POC2
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{?ˉ?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:?{	
     ^
=================================================================
==52395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d634 at pc 0x000000579aa9 bp 0x7ffda0f6e010 sp 0x7ffda0f6e008
READ of size 1 at 0x60400000d634 thread T0
    #0 0x579aa8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579aa8)
    #1 0x576498  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x576498)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #4 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #5 0x7fc68f1d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60400000d634 is located 0 bytes to the right of 36-byte region [0x60400000d610,0x60400000d634)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c087fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9ac0: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fd
  0x0c087fff9ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9af0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c087fff9b00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9b10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52395==ABORTING


The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.

415 /* Parse named or positional reference. In case of positional
416    references, can return negative values for $-n "deep" stack
417    accesses. */
418 static long int
419 parse_ref (char *cp, symbol_list *rule, int rule_length,
420            int midrule_rhs_index, char *text, location text_loc,
421            char dollar_or_at)
422 {
 ...
445 
446   if ('[' == *cp)
447     {
448       /* Ignore the brackets. */
449       char *p;
450       for (p = ++cp; *p != ']'; ++p)
451         continue;
452       cp_end = p;
453 
454       explicit_bracketing = true;
455     }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Note You need to log in before you can comment on or make changes to this bug.