1470925 – There is a heap-buffer-overflow in parse_ref() in bison.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1470925 - There is a heap-buffer-overflow in parse_ref() in bison.

Summary: There is a heap-buffer-overflow in parse_ref() in bison.

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	bison
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	pre-dev-freeze
Target Release:	8.1
Assignee:	Arjun Shankar
QA Contact:	Edjunior Barbosa Machado
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-14 02:44 UTC by owl337
Modified:	2023-11-16 04:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-08 15:37:24 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Triggered by "./bison $POC" (deleted) 2017-07-14 02:44 UTC, owl337	no flags	Details
View All

Description owl337 2017-07-14 02:44:52 UTC

Description of problem:

The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bison POC2

Steps to Reproduce:

The information is as follows:

$./bison POC2
 
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{’?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:￡{	
     ^
Segmentation fault

The ASAN debugging  information is as follows:

$./bison POC2
id:000006,sig:11,src:001158,op:arith8,pos:33,val:+27:1.5: error: symbol S is used, but is not defined as a token and has no rules
 %%D:S{?ˉ?<:p{$}EEE@->$<p{$}EE>[%>\:}D%%H:?{	
     ^
=================================================================
==52395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d634 at pc 0x000000579aa9 bp 0x7ffda0f6e010 sp 0x7ffda0f6e008
READ of size 1 at 0x60400000d634 thread T0
    #0 0x579aa8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x579aa8)
    #1 0x576498  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x576498)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x563e96  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x563e96)
    #4 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)
    #5 0x7fc68f1d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x43ced8  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x43ced8)

0x60400000d634 is located 0 bytes to the right of 36-byte region [0x60400000d610,0x60400000d634)
allocated by thread T0 here:
    #0 0x4c3ea2  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x4c3ea2)
    #1 0x56fb7c  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x56fb7c)
    #2 0x570ae0  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x570ae0)
    #3 0x51a2c6  (/home/icy/real/bison-3.0.4-asan/install/bin/bison+0x51a2c6)

Shadow bytes around the buggy address:
  0x0c087fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9ac0: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fd
  0x0c087fff9ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9af0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c087fff9b00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9b10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52395==ABORTING


The vulnerability was triggered in function parse_ref() at src/scan-code.l:450.

415 /* Parse named or positional reference. In case of positional
416    references, can return negative values for $-n "deep" stack
417    accesses. */
418 static long int
419 parse_ref (char *cp, symbol_list *rule, int rule_length,
420            int midrule_rhs_index, char *text, location text_loc,
421            char dollar_or_at)
422 {
 ...
445 
446   if ('[' == *cp)
447     {
448       /* Ignore the brackets. */
449       char *p;
450       for (p = ++cp; *p != ']'; ++p)
451         continue;
452       cp_end = p;
453 
454       explicit_bracketing = true;
455     }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 9 Arjun Shankar 2018-11-21 15:24:15 UTC

Dear OWL337 Team,

Thank you for filing this report.

Unfortunately, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. I was wondering if you have a copy available.

Cheers!

Comment 12 Arjun Shankar 2020-01-08 15:37:24 UTC

Dear OWL337 Team,

Thank you for filing this report.

Like I wrote in my earlier comment, I cannot find the reproducer that was initially attached to this bug. It seems to have been deleted. If you have a copy available, please attach and report this upstream, or again here on RH bugzilla.

Cheers!

Comment 13 Red Hat Bugzilla 2023-11-16 04:25:03 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.