bug-bison
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Null pointer dereference in latest bison (intersect_symbol src/lssi.c:27

From: Youngseok Choi
Subject: Null pointer dereference in latest bison (intersect_symbol src/lssi.c:276)
Date: Wed, 12 Apr 2023 19:18:56 +0900 
Hello, our fuzzer found a new SERV bug in bison,

*Command*
bison poc_file --report=c
(poc_file is attached)

*Output (stderr)*
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22:
warning: symbol 'J' is used, but is not defined as a token and has no rules
[-Wother]
   25 | %type  <Integer> exp J%nonassoc '='       /* comparison
      |                      ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:53.27:
warning: stray '$' [-Wother]
   53 |     if ($1.intValue () != $intValue ())
      |                           ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 1 nonterminal useless in grammar [-Wother]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22:
warning: nonterminal useless in grammar: J [-Wother]
   25 | %type  <Integer> exp J%nonassoc '='       /* comparison
      |                      ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 1 shift/reduce conflict [-Wconflicts-sr]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 12 reduce/reduce conflicts [-Wconflicts-rr]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
note: rerun with option '-Wcounterexamples' to generate conflict
counterexamples
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:34.3-7:
warning: rule useless in parser due to conflicts [-Wother]
   34 | | input line:
      |   ^~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:50.3-77:
warning: rule useless in parser due to conflicts [-Wother]
   50 |   NUM                { $$ = $1;
        }
      |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:51.3-79.70:
warning: rule useless in parser due to conflicts [-Wother]
   51 | | exp '=' exp
      |   ^~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:81.3-83.85:
warning: rule useless in parser due to conflicts [-Wother]
   81 |   {
      |   ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:88.3-35:
warning: rule useless in parser due to conflicts [-Wother]
   88 |   NUM                { $$ = $1;   }
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:89.3-91.23:
warning: rule useless in parser due to conflicts [-Wother]
   89 | | exp '=' exp
      |   ^~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:93.3-95.52:
warning: rule useless in parser due to conflicts [-Wother]
   93 |   {
      |   ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:100.3-77:
warning: rule useless in parser due to conflicts [-Wother]
  100 |   NUM                { $$ = $1;
        }
      |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:101.3-127.1:
warning: rule useless in parser due to conflicts [-Wother]
  101 | | exp '=' exp
      |   ^~~~~~~~~~~

*Sanitizer Dump*
==7175==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x5555555d0b7a bp 0x7fffffffb3a0 sp 0x7fffffff9300 T0)
==7175==The signal is caused by a READ memory access.
==7175==Hint: address points to the zero page.
    #0 0x5555555d0b79 in intersect_symbol src/lssi.c:276
    #1 0x5555555a1650 in reduction_step src/counterexample.c:831
    #2 0x5555555a3487 in generate_next_states src/counterexample.c:1047
    #3 0x5555555a43f5 in unifying_example src/counterexample.c:1182
    #4 0x5555555a4fac in counterexample_report src/counterexample.c:1283
    #5 0x5555555a600d in counterexample_report_reduce_reduce
src/counterexample.c:1356
    #6 0x5555555a6a0b in counterexample_report_state
src/counterexample.c:1400
    #7 0x5555556161c1 in print_state src/print.c:366
    #8 0x555555617041 in print_results src/print.c:471
    #9 0x5555555d225d in main src/main.c:188
    #10 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #11 0x555555588b49 in _start
(/home/youngseok/subjects/latest_asan_install/bison/bin/bison+0x34b49)

*Environment*
OS: Ubuntu 18.04
gcc: 7.5.0
Bison: 3.8.2.46-9785 (git commit 97852f39f42a28abfcaf1c46b1f06920eae151c9)

We used address sanitizer to reason the crash. Here is the build script:
CFLAGS="-fsanitize=address -g -O0" ./configure

Thank you
Youngseok Choi

Attachment: poc_file
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]