Reporting Security Violations in Software Package

Yao Shuangjie Wed, 12 Mar 2025 13:16:17 -0700

Dear maintainers,
We are cybersecurity researchers from the Hong Kong University of Science and 
Technology. We found several security violations of undefined behaviors in GNU 
bison 3.8.2 using our novel symbolic execution technique several months ago. 
The details are shown below.


../lib/obstack.c:138:35: runtime error: applying non-zero offset 
107820858999056 to null pointer
    #0 0x6a3c9c in _obstack_begin_worker 
/root/projects/bison-3.8.2/obj-san/../lib/obstack.c:138:35
    #1 0x6a3a6d in _obstack_begin 
/root/projects/bison-3.8.2/obj-san/../lib/obstack.c:157:10
    #2 0x54988c in muscle_init 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:126:3
    #3 0x548e2f in main /root/projects/bison-3.8.2/obj-san/../src/main.c:97:3
    #4 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../lib/obstack.c:138:35 
in
../src/muscle-tab.c:540:3: runtime error: applying non-zero offset 
107820858999072 to null pointer
    #0 0x54eda7 in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:540:3
    #1 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #2 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #3 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:540:3 in
../src/muscle-tab.c:274:27: runtime error: applying non-zero offset 
107820858999104 to null pointer
    #0 0x54d658 in muscle_boundary_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:274:27
    #1 0x54ee74 in muscle_location_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:283:3
    #2 0x54ee74 in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:542:3
    #3 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #4 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #5 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:274:27 in
../src/muscle-tab.c:192:27: runtime error: applying non-zero offset 
107820858999136 to null pointer
    #0 0x54b14e in muscle_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:192:27
    #1 0x54d6a6 in muscle_boundary_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:275:3
    #2 0x54ee74 in muscle_location_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:283:3
    #3 0x54ee74 in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:542:3
    #4 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #5 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #6 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:192:27 in
../src/muscle-tab.c:210:27: runtime error: applying non-zero offset 
107820858999120 to null pointer
    #0 0x54a9b6 in muscle_syncline_grow 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:210:27
    #1 0x54ef69 in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:544:3
    #2 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #3 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #4 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:210:27 in
../src/muscle-tab.c:547:3: runtime error: applying non-zero offset 
107820858999088 to null pointer
    #0 0x54f1ca in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:547:3
    #1 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #2 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #3 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:547:3 in
../src/muscle-tab.c:548:3: runtime error: applying non-zero offset 
107820858999104 to null pointer
    #0 0x54f7e5 in muscle_percent_define_insert 
/root/projects/bison-3.8.2/obj-san/../src/muscle-tab.c:548:3
    #1 0x51308a in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:729:11
    #2 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #3 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../src/muscle-tab.c:548:3 in
../src/getargs.c:909:3: runtime error: applying non-zero offset 107820858999120 
to null pointer
    #0 0x513f1e in getargs 
/root/projects/bison-3.8.2/obj-san/../src/getargs.c:909:3
    #1 0x548e44 in main /root/projects/bison-3.8.2/obj-san/../src/main.c:101:3
    #2 0x7f14c84cdd8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7f14c84cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x420664 in _start 
(/root/projects/bison-3.8.2/obj-san/src/bison+0x420664)

Best regards,
Shuangjie

Reporting Security Violations in Software Package

Reply via email to