## Vulnerability Overview **Software**: GNU Bison **Vulnerability Type**: Assertion Failure leading to Denial of Service
## Description This report documents a variant of the GNU Bison obprintf.c assertion failure vulnerability. this variant demonstrates different input conditions that trigger the identical assertion failure, confirming the widespread nature of the buffer management issue in Bison's obstack implementation. ## Technical Analysis ### Stack Trace ``` #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7dae71b in __assert_fail_base (fmt=0x7ffff7f63130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=0x7ffff7f5f416 "obprintf.c", line=158, function=<optimized out>) at ./assert/assert.c:94 #6 0x00007ffff7dbfe96 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=file@entry=0x7ffff7f5f416 "obprintf.c", line=line@entry=158, function=function@entry=0x7ffff7f67740 <__PRETTY_FUNCTION__.1> "__obstack_vprintf_internal") at ./assert/assert.c:103 #7 0x00007ffff7e0e81a in __obstack_vprintf_internal (obstack=0x5555558656c0 <obstack_for_string>, format=0x55555555fab8 "]b4_lhs_value(orig %d, ", args=args@entry=0x7fffffff8200, mode_flags=2) at ./libio/obprintf.c:158 #8 0x00007ffff7ebc353 in __obstack_printf_chk (obstack=<optimized out>, flag=<optimized out>, format=<optimized out>) at ./debug/obprintf_chk.c:34 #9 0x00005555555f8c8b in handle_action_dollar (rule=0x555555887bd0, text=<optimized out>, dollar_loc=<optimized out>) at src/scan-code.l:661 #10 code_lex (self=0x555555887c68, sc_context=<optimized out>) at src/scan-code.l:171 #11 translate_action (self=0x555555887c68, sc_context=<optimized out>) at src/scan-code.l:768 #12 0x00005555555f8c8b in code_props_translate_code (self=0x555555887c68) #13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002 #14 reader (gram=<optimized out>) at src/reader.c:772 #15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118 ``` ### Variant Analysis This variant exhibits the identical technical characteristics as the primary obprintf vulnerability: **Identical Assertion**: `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)` **Same Failure Location**: obprintf.c:158 in `__obstack_vprintf_internal` **Same Call Chain**: `handle_action_dollar` → `obstack_printf_chk` → assertion failure ### Root Cause Confirmation The identical stack trace confirms that this is the same underlying vulnerability in Bison's obstack buffer management. The fact that different input files can trigger the same assertion failure demonstrates: 1. **Systemic Issue**: The buffer management problem is not tied to specific input patterns 2. **Multiple Trigger Paths**: Various grammar constructs can expose the vulnerability 3. **Widespread Impact**: The vulnerability affects different types of grammar files ## Proof of Concept The vulnerability variant can be triggered using the provided POC file: **File**: `POC_bison_obprintf_assertion_failure_variant`[ https://drive.google.com/file/d/1vaT0s1LChBK158jHycNIvedMQ6brdM3k/view?usp=drive_link ] **Reproduction Steps**: 1. Execute: `bison POC_bison_obprintf_assertion_failure_variant` 2. Observe the identical assertion failure as the primary vulnerability 3. Verify the same SIGABRT signal generation **Expected Output**: ``` bison: obprintf.c:158: __obstack_vprintf_internal: Assertion `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)' failed. Aborted (core dumped) ``` ### Trigger Mechanism Despite the different grammar structure, the vulnerability is triggered through the same mechanism: 1. Grammar parsing reaches action code processing 2. `handle_action_dollar` function processes `$variable` references 3. Obstack buffer state becomes inconsistent during printf formatting 4. Assertion failure occurs in obprintf.c:158 ### *Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)*
