Created attachment 1505086 [details] ./bison POC0 version: bison3.0.5 Summary: There is a heap-buffer-overflow at lalr.c:256 build_relations in bison. Description: The asan debug is as follows: $./bison POC0 ================================================================= ==4827==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e6a0 at pc 0x00000041b67d bp 0x7ffe9b5119f0 sp 0x7ffe9b5119e0 WRITE of size 8 at 0x60200000e6a0 thread T0 #0 0x41b67c in build_relations src/lalr.c:256 #1 0x41b67c in lalr src/lalr.c:446 #2 0x4227cf in ielr src/ielr.c:1117 #3 0x4038b7 in main src/main.c:121 #4 0x7fd9f5dbaa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #5 0x404428 in _start (/home/company/real_sanitize/poc_check/bison/bison+0x404428) 0x60200000e6a0 is located 0 bytes to the right of 16-byte region [0x60200000e690,0x60200000e6a0) allocated by thread T0 here: #0 0x7fd9f61fc9aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa) #1 0x47be98 in xmalloc lib/xmalloc.c:41 SUMMARY: AddressSanitizer: heap-buffer-overflow src/lalr.c:256 build_relations Shadow bytes around the buggy address: 0x0c047fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cb0: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9cc0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00 =>0x0c047fff9cd0: fa fa 00 00[fa]fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9ce0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa fd fd 0x0c047fff9cf0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa 0x0c047fff9d00: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa fd fd 0x0c047fff9d10: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa 00 fa 0x0c047fff9d20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 02 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==4827==ABORTING
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Sorry, this bug should remain open for triage. Reopening.
Red Hat Enterprise Linux 7 is entering Maintenance Support 1 phase and as such only Urgent priority bug fixes will be considered. Given that this issue is not urgent and applies only to fuzzed inputs, we have decided not to fix this in RHEL 7. However, we will consider fixing this in RHEL 8.
This still looks good on bison-3.5 (f32) and bison-3.6.4 (rawhide). Thanks for filing this report! This bug is now fixed in Fedora Rawhide and will eventually make it to a future major version of RHEL. Since this is a crash induced by fuzzed input (in the form of code) and the input causes bison itself to crash and isn't a security flaw in generated code itself, it is not likely to impact a running service. Considering the above, we do not plan to fix this in an update to RHEL-8. Please re-open this bug and associate a customer ticket to revisit this decision.