[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug report] Heap-buffer-overflow issue in build_relations function in s
From: |
wcventure |
Subject: |
[bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3 |
Date: |
Thu, 28 Mar 2019 22:47:24 +0800 (CST) |
Hi there,
Our fuzzer found some Heap-buffer-overflow issue in build_relations function in
src/lalr.c in Bison 3.3, the recent release version.
A crafted input file can cause segment faults and I have confirmed them with
address sanitizer too.
Please use the "./bison $POC" to reproduce the bug.
ASAN dumps the backtrace as follow:
==8106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000c78
at pc 0x00000045b7dc bp 0x7ffe927e00b0 sp 0x7ffe927e00a0
WRITE of size 8 at 0x604000000c78 thread T0
#0 0x45b7db in build_relations src/lalr.c:245
#1 0x45b7db in lalr src/lalr.c:423
#2 0x46d5af in ielr src/ielr.c:1081
#3 0x407010 in main src/main.c:129
#4 0x7f9fd640482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x40ab58 in _start
(/home/wencheng/FuzzingObject/bison-3.3/build/bin/bison+0x40ab58)
0x604000000c78 is located 0 bytes to the right of 40-byte region
[0x604000000c50,0x604000000c78)
allocated by thread T0 here:
#0 0x7f9fd688cb90 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x60b064 in xmalloc lib/xmalloc.c:41
SUMMARY: AddressSanitizer: heap-buffer-overflow src/lalr.c:245 in
build_relations
Shadow bytes around the buggy address:
0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff8140: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8160: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff8180: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8106==ABORTING
POC.zip
Description: Zip compressed data
- [bug report] Heap-buffer-overflow issue in build_relations function in src/lalr.c in Bison 3.3,
wcventure <=