[bug report] Heap-buffer-overflow issue in build

bug-bison

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug report] Heap-buffer-overflow issue in build_relations function in s

From:	wcventure
Subject:	[bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3
Date:	Thu, 28 Mar 2019 22:47:24 +0800 (CST)

Hi there, 


Our fuzzer found some Heap-buffer-overflow issue in build_relations function in 
src/lalr.c in Bison 3.3, the recent release version. 
A crafted input file can cause segment faults and I have confirmed them with 
address sanitizer too.


Please use the "./bison $POC" to reproduce the bug.






ASAN dumps the backtrace as follow:


==8106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000c78 
at pc 0x00000045b7dc bp 0x7ffe927e00b0 sp 0x7ffe927e00a0
WRITE of size 8 at 0x604000000c78 thread T0
    #0 0x45b7db in build_relations src/lalr.c:245
    #1 0x45b7db in lalr src/lalr.c:423
    #2 0x46d5af in ielr src/ielr.c:1081
    #3 0x407010 in main src/main.c:129
    #4 0x7f9fd640482f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x40ab58 in _start 
(/home/wencheng/FuzzingObject/bison-3.3/build/bin/bison+0x40ab58)


0x604000000c78 is located 0 bytes to the right of 40-byte region 
[0x604000000c50,0x604000000c78)
allocated by thread T0 here:
    #0 0x7f9fd688cb90 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
    #1 0x60b064 in xmalloc lib/xmalloc.c:41


SUMMARY: AddressSanitizer: heap-buffer-overflow src/lalr.c:245 in 
build_relations
Shadow bytes around the buggy address:
  0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff8140: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8160: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff8170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff8180: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
  0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8106==ABORTING

POC.zip
Description: Zip compressed data

[Prev in Thread]

Current Thread

[Next in Thread]

[bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3, wcventure <=
- Re: [bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3, Akim Demaille, 2019/03/30

Prev by Date: Re: [patch] Fix of the CPU bottleneck in pack_vector
Next by Date: [bug report] NULL-pointer deference issue in quotearg_buffer_restyled in lib/quotearg.c in Bison 3.3
Previous by thread: Re: [patch] Fix of the CPU bottleneck in pack_vector
Next by thread: Re: [bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3
Index(es):
- Date
- Thread