[bison 3.7.1.1] heap-buffer-overflow in symbol_translation src/symtab.c:768

Mon, 03 Aug 2020 06:23:03 -0700 

Hi, This is from Agency for Defense Development (ADD).

We found a heap-buffer-overflow in symbol_translation src/symtab.c:768.

We attached the poc file and the asan log.

To reproduce the bug
1) Compile the bison with address sanitizer
2) run the bision ($ bison $PoC)

version: bison (GNU Bison) 3.7.1.1-cb7dc-dirty

Thanks,

==3319==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000002d7c 
at pc 0x560f1ff04bb8 bp 0x7ffea3d43f50 sp 0x7ffea3d43f40                        
                                                                 
READ of size 4 at 0x619000002d7c thread T0                                      
                                                                                
                                                                 
    #0 0x560f1ff04bb7 in symbol_translation src/symtab.c:768                    
                                                                                
                                                                 
    #1 0x560f1ff04bb7 in symbols_token_translations_init src/symtab.c:1099      
                                                                                
                                                                 
    #2 0x560f1ff04bb7 in symbols_pack src/symtab.c:1150                         
                                                                                
                                                                 
    #3 0x560f1fdf777c in check_and_convert_grammar src/reader.c:822
    #4 0x560f1fdf777c in reader src/reader.c:718
    #5 0x560f1fba1dea in main src/main.c:108
    #6 0x7f2d8543db96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x560f1fba5909 in _start 
(/mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/bison/install_dir/bin/bison+0x38909)

0x619000002d7c is located 4 bytes to the left of 1128-byte region 
[0x619000002d80,0x6190000031e8)
allocated by thread T0 here:
    #0 0x7f2d858ebb40 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x560f200d4850 in xmalloc lib/xmalloc.c:53

SUMMARY: AddressSanitizer: heap-buffer-overflow src/symtab.c:768 in 
symbol_translation
Shadow bytes around the buggy address:
  0x0c327fff8550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff85f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3319==ABORTING

Attachment: poc
Description: Binary data

Reply via email to