[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Null pointer dereference in latest bison (intersect_symbol src/lssi.c:27
From: |
Youngseok Choi |
Subject: |
Null pointer dereference in latest bison (intersect_symbol src/lssi.c:276) |
Date: |
Wed, 12 Apr 2023 19:18:56 +0900 |
Hello, our fuzzer found a new SERV bug in bison,
*Command*
bison poc_file --report=c
(poc_file is attached)
*Output (stderr)*
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22:
warning: symbol 'J' is used, but is not defined as a token and has no rules
[-Wother]
25 | %type <Integer> exp J%nonassoc '=' /* comparison
| ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:53.27:
warning: stray '$' [-Wother]
53 | if ($1.intValue () != $intValue ())
| ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 1 nonterminal useless in grammar [-Wother]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22:
warning: nonterminal useless in grammar: J [-Wother]
25 | %type <Integer> exp J%nonassoc '=' /* comparison
| ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 1 shift/reduce conflict [-Wconflicts-sr]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
warning: 12 reduce/reduce conflicts [-Wconflicts-rr]
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:
note: rerun with option '-Wcounterexamples' to generate conflict
counterexamples
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:34.3-7:
warning: rule useless in parser due to conflicts [-Wother]
34 | | input line:
| ^~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:50.3-77:
warning: rule useless in parser due to conflicts [-Wother]
50 | NUM { $$ = $1;
}
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:51.3-79.70:
warning: rule useless in parser due to conflicts [-Wother]
51 | | exp '=' exp
| ^~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:81.3-83.85:
warning: rule useless in parser due to conflicts [-Wother]
81 | {
| ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:88.3-35:
warning: rule useless in parser due to conflicts [-Wother]
88 | NUM { $$ = $1; }
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:89.3-91.23:
warning: rule useless in parser due to conflicts [-Wother]
89 | | exp '=' exp
| ^~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:93.3-95.52:
warning: rule useless in parser due to conflicts [-Wother]
93 | {
| ^
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:100.3-77:
warning: rule useless in parser due to conflicts [-Wother]
100 | NUM { $$ = $1;
}
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:101.3-127.1:
warning: rule useless in parser due to conflicts [-Wother]
101 | | exp '=' exp
| ^~~~~~~~~~~
*Sanitizer Dump*
==7175==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x5555555d0b7a bp 0x7fffffffb3a0 sp 0x7fffffff9300 T0)
==7175==The signal is caused by a READ memory access.
==7175==Hint: address points to the zero page.
#0 0x5555555d0b79 in intersect_symbol src/lssi.c:276
#1 0x5555555a1650 in reduction_step src/counterexample.c:831
#2 0x5555555a3487 in generate_next_states src/counterexample.c:1047
#3 0x5555555a43f5 in unifying_example src/counterexample.c:1182
#4 0x5555555a4fac in counterexample_report src/counterexample.c:1283
#5 0x5555555a600d in counterexample_report_reduce_reduce
src/counterexample.c:1356
#6 0x5555555a6a0b in counterexample_report_state
src/counterexample.c:1400
#7 0x5555556161c1 in print_state src/print.c:366
#8 0x555555617041 in print_results src/print.c:471
#9 0x5555555d225d in main src/main.c:188
#10 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#11 0x555555588b49 in _start
(/home/youngseok/subjects/latest_asan_install/bison/bin/bison+0x34b49)
*Environment*
OS: Ubuntu 18.04
gcc: 7.5.0
Bison: 3.8.2.46-9785 (git commit 97852f39f42a28abfcaf1c46b1f06920eae151c9)
We used address sanitizer to reason the crash. Here is the build script:
CFLAGS="-fsanitize=address -g -O0" ./configure
Thank you
Youngseok Choi
poc_file
Description: Binary data
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Null pointer dereference in latest bison (intersect_symbol src/lssi.c:276),
Youngseok Choi <=