[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gawk use-after-free in concat_exp()
|
From: |
arnold |
|
Subject: |
Re: gawk use-after-free in concat_exp() |
|
Date: |
Thu, 25 Aug 2022 02:05:47 -0600 |
|
User-agent: |
Heirloom mailx 12.5 7/5/10 |
Hello.
Re this:
sohu0106 <sohu0106@126.com> wrote:
> I found a UAF(use-after-free) bug in concat_exp()
> gawk-5.1.1/array.c:424. The version of gawk is gawk-5.1.1, See the
> attachment for the reproduced POC and NEWS.0.
> Asan report is below.
It is hard to see how the program you submitted could be entering the
code in concat_exp(), as your program consisted simply of an (ugly)
unterminated regular expression.
On the code in master, it (apparently) caused gawk to go into an infinite
loop and lock up my machine. If this is what you intended, it's not funny.
The fix I will be pushing is below: syntax errors are now immediately
fatal.
In general, I find reports such as yours, based clearly on the use
of fuzzers, to be of little help in finding real issues in the code
base. I have added a note in the manual to this effect as well.
If in the future you find actual bugs in gawk, as described very clearly
in the manual, I will be happy to have them reported.
Arnold Robbins
-----------------------
diff --git a/awkgram.y b/awkgram.y
index e2a3d21b..ef3720cb 100644
--- a/awkgram.y
+++ b/awkgram.y
@@ -2622,6 +2622,8 @@ yyerror(const char *m, ...)
err(false, "", buf, args);
va_end(args);
efree(buf);
+ /* we don't use fatal(), that changes the exit status to 2 */
+ exit(EXIT_FAILURE);
}
/* mk_program --- create a single list of instructions */