Re: GNU Bison obprintf.c Assertion Failure

Collin Funk Mon, 18 Aug 2025 13:45:16 -0700

Florian Weimer <[email protected]> writes:

> Has anyone been able to make the reproducer work?  The file uploaded to
> Google drive may have been garbled, not sure.
>
> (We've reached out internally to Red Hat Product Security because Red
> Hat currently publishes a statement that the issues were reproduced on
> bison 3.8.2, but not on bison 3.7.4.  I don't know how this conclusion
> was reached based on the publicly available information.)


It doesn't reproduce on bison built from the latest git commit. See
below:

     $ ./src/bison /POC_bison_obprintf_assertion_failure
    /POC_bison_obprintf_assertion_failure:81.9-12: warning: unused value: $2 
[-Wother]
       81 | | input line
          |         ^~~~
    /POC_bison_obprintf_assertion_failure:85.3-96.5: warning: unset value: $$ 
[-Wother]
       85 |   exp eol
          |   ^~~~~~~
    /POC_bison_obprintf_assertion_failure:85.7-9: warning: unused value: $2 
[-Wother]
       85 |   exp eol
          |       ^~~
    /POC_bison_obprintf_assertion_failure:106.7-9: warning: unused value: $2 
[-Wother]
      106 | | exp "-" exp   { $$ = $1 + $3; }
          |       ^~~
    /POC_bison_obprintf_assertion_failure:107.7-9: warning: unused value: $2 
[-Wother]
      107 | | exp "-" exp   { $$ = yylex.
          |       ^~~
    /POC_bison_obprintf_assertion_failure:109.7-9: warning: unused value: $2 
[-Wother]
      109 | | exp "*" exp   { $$ = 
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
          |       ^~~
    /POC_bison_obprintf_assertion_failure:110.7-9: warning: unused value: $2 
[-Wother]
      110 | | exp "/" exp
          |       ^~~
    /POC_bison_obprintf_assertion_failure:118.3-5: warning: unused value: $1 
[-Wother]
      118 | | "+" exp %prec UNARY  { $$ = + $2; }
          |   ^~~
    /POC_bison_obprintf_assertion_failure:119.3-5: warning: unused value: $1 
[-Wother]
      119 | | "-" exp %prec noteUNARY  { $$ = - $2; }
          |   ^~~
    /POC_bison_obprintf_assertion_failure:119.3-41: warning: token for %prec is 
not defined: noteUNARY [-Wother]
      119 | | "-" exp %prec noteUNARY  { $$ = - $2; }
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    /POC_bison_obprintf_assertion_failure: error: shift/reduce conflicts: 3 
found, 0 expected
    /POC_bison_obprintf_assertion_failure: error: reduce/reduce conflicts: 3 
found, 0 expected
    /POC_bison_obprintf_assertion_failure: note: rerun with option 
'-Wcounterexamples' to generate conflict counterexamples
    /POC_bison_obprintf_assertion_failure:107.3-108.10: warning: rule useless 
in parser due to conflicts [-Wother]
      107 | | exp "-" exp   { $$ = yylex.
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~

> This is also <https://nvd.nist.gov/vuln/detail/CVE-2025-8734>.

This one also does not reproduce:

    ./src/bison /POC_bison_memory_corruption_doublefree 
    /POC_bison_memory_corruption_doublefree:109.196-200: error: invalid 
reference: ‘$lalr’
      109 | 
...$$$$$$$$$$lalr$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
          |             ^~~~~
    /POC_bison_memory_corruption_doublefree:109.3-610: note: symbol not found 
in production: lalr
      109 | | exp "*" exp   { $$ = 
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
          |   
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    /POC_bison_memory_corruption_doublefree:81.9-12: warning: unused value: $2 
[-Wother]
       81 | | input line
          |         ^~~~
    /POC_bison_memory_corruption_doublefree:85.3-96.5: warning: unset value: $$ 
[-Wother]
       85 |   exp eol
          |   ^~~~~~~
    /POC_bison_memory_corruption_doublefree:85.7-9: warning: unused value: $2 
[-Wother]
       85 |   exp eol
          |       ^~~
    /POC_bison_memory_corruption_doublefree:106.7-9: warning: unused value: $2 
[-Wother]
      106 | | exp "-" exp   { $$ = $1 + $3; }
          |       ^~~
    /POC_bison_memory_corruption_doublefree:107.7-9: warning: unused value: $2 
[-Wother]
      107 | | exp "-" exp   { $$ = yylex.
          |       ^~~
    /POC_bison_memory_corruption_doublefree:109.7-9: warning: unused value: $2 
[-Wother]
      109 | | exp "*" exp   { $$ = 
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
          |       ^~~
    /POC_bison_memory_corruption_doublefree:110.7-9: warning: unused value: $2 
[-Wother]
      110 | | exp "/" exp
          |       ^~~
    /POC_bison_memory_corruption_doublefree:118.3-5: warning: unused value: $1 
[-Wother]
      118 | | "+" exp %prec UNARY  { $$ = + $2; }
          |   ^~~
    /POC_bison_memory_corruption_doublefree:119.3-5: warning: unused value: $1 
[-Wother]
      119 | | "-" exp %prec noteUNARY  { $$ = - $2; }
          |   ^~~
    /POC_bison_memory_corruption_doublefree:119.3-41: warning: token for %prec 
is not defined: noteUNARY [-Wother]
      119 | | "-" exp %prec noteUNARY  { $$ = - $2; }
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Both do not reproduce for me with Bison 3.8.2 built from a tarball in a
Fedora 42 container. Which reinforces my original suspicion that this is
spam, sadly.

Collin

Re: GNU Bison obprintf.c Assertion Failure

Reply via email to