Bug 1470925 - There is a heap-buffer-overflow in parse_ref() in bison. [NEEDINFO]
Summary: There is a heap-buffer-overflow in parse_ref() in bison.
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: bison
Version: 8.1
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: pre-dev-freeze
: 8.1
Assignee: Arjun Shankar
QA Contact: Edjunior Barbosa Machado
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-14 02:44 UTC by owl337
Modified: 2023-07-18 14:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-08 15:37:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:
ashankar: needinfo? (v.owl337)

Attachments (Terms of Use)
Triggered by "./bison $POC" (deleted)
2017-07-14 02:44 UTC, owl337 		no flags Details
View All

Description owl337 2017-07-14 02:44:52 UTC 
Description of problem:

The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC2

Steps to Reproduce:

The information is as follows:

$./bison POC2
 
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{’?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:£{	
     ^
Segmentation fault

The ASAN debugging  information is as follows:

$./bison POC2
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{?ˉ?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:?{	
     ^
=================================================================
==52395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d634 at pc 0x000000579aa9 bp 0x7ffda0f6e010 sp 0x7ffda0f6e008
READ of size 1 at 0x60400000d634 thread T0
    #0 0x579aa8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579aa8)
    #1 0x576498  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x576498)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #4 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #5 0x7fc68f1d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60400000d634 is located 0 bytes to the right of 36-byte region [0x60400000d610,0x60400000d634)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c087fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9ac0: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fd
  0x0c087fff9ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9af0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c087fff9b00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9b10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52395==ABORTING


The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.

415 /* Parse named or positional reference. In case of positional
416    references, can return negative values for $-n "deep" stack
417    accesses. */
418 static long int
419 parse_ref (char *cp, symbol_list *rule, int rule_length,
420            int midrule_rhs_index, char *text, location text_loc,
421            char dollar_or_at)
422 {
 ...
445 
446   if ('[' == *cp)
447     {
448       /* Ignore the brackets. */
449       char *p;
450       for (p = ++cp; *p != ']'; ++p)
451         continue;
452       cp_end = p;
453 
454       explicit_bracketing = true;
455     }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 9 Arjun Shankar 2018-11-21 15:24:15 UTC 
Dear OWL337 Team,

Thank you for filing this report.

Unfortunately, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. I was wondering if you have a copy available.

Cheers!
Comment 12 Arjun Shankar 2020-01-08 15:37:24 UTC 
Dear OWL337 Team,

Thank you for filing this report.

Like I wrote in my earlier comment, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. If you have a copy available, please attach and report this upstream, or again here on RH bugzilla.

Cheers!
Note You need to log in before you can comment on or make changes to this bug.