Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Overflow in HandleNode() #459

Closed
fumfel opened this issue Jan 17, 2017 · 6 comments · Fixed by #807
Closed

Stack Overflow in HandleNode() #459

fumfel opened this issue Jan 17, 2017 · 6 comments · Fixed by #807

Comments

@fumfel
Copy link

fumfel commented Jan 17, 2017

Stack Overflow in HandleNode()

Git HEAD: 86c69bb

Payload

To reproduce: cat yaml_stack_overflow | parse

ASAN:

==23331==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec5d6bfc8 (pc 0x0000004bc0ba bp 0x7ffec5d6c830 sp 0x7ffec5d6bfd0 T0)
    #0 0x4bc0b9 in __asan_memcpy /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #1 0x51c2ba in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:56:15
    #2 0x520e7d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:199:5
    #3 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #4 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98
    #5 0x525da0 in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:330:3
    #6 0x51d8b7 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:226:7
    #7 0x51d8b7 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:121
    ===================================================== SNIP! =====================================================
    #369 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #370 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98
    #371 0x525da0 in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:330:3
    #372 0x51d8b7 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:226:7
    #373 0x51d8b7 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:121
    #374 0x520e7d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:199:5
    #375 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #376 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98

SUMMARY: AddressSanitizer: stack-overflow /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3 in __asan_memcpy
==23331==ABORTING
@jbeder
Copy link
Owner

jbeder commented Jan 17, 2017

Thanks for the report.

@fgeek
Copy link

fgeek commented Apr 4, 2017

CVE-2017-5950 has been assigned for this issue. Please add it to commit message when fixing this and/or to ChangeLog.

@anarcat
Copy link

anarcat commented Apr 26, 2017

I can't reproduce this directly. by default, on a clean build in Debian 9 "stretch", I get:

[1060]anarcat@curie:build$ ./util/parse < ~/Downloads/yaml_stack_overflow.txt 
yaml-cpp: error at line 1, column 1: end of sequence flow not found

If I create a ridiculously large test case (ie. 7 times the original), I manage to get a segfault on malloc:

$ (cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ) > wtf
$ ./util/parse  < wtf
Segmentation fault (core dumped)

here's the stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7216b9b in _int_malloc (av=av@entry=0x7ffff7536b00 <main_arena>, bytes=bytes@entry=512) at malloc.c:3384
3384	malloc.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  0x00007ffff7216b9b in _int_malloc (av=av@entry=0x7ffff7536b00 <main_arena>, bytes=bytes@entry=512) at malloc.c:3384
#1  0x00007ffff7218d84 in __GI___libc_malloc (bytes=512) at malloc.c:2925
#2  0x00007ffff7ae67a8 in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00005555555a1baf in void std::deque<YAML::CollectionType::value, std::allocator<YAML::CollectionType::value> >::_M_push_back_aux<YAML::CollectionType::value const&>(YAML::CollectionType::value const&) ()
#4  0x000055555559d0e4 in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#5  0x000055555559b670 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#6  0x00005555555a192a in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#7  0x000055555559b618 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#8  0x000055555559d01c in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#9  0x000055555559b670 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#10 0x00005555555a192a in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#11 0x000055555559b618 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#12 0x000055555559d01c in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
[... ad nauseam...]

as the SUSE folks say - maybe this is just a matter of setting a recursion limit?

anarcat added a commit to anarcat/yaml-cpp that referenced this issue Apr 26, 2017
simply set a hardcoded recursion limit to 2000 (inspired by Python's)
to avoid infinitely recursing into arbitrary data structures

assert() the depth. unsure if this is the right approach, but given
that HandleNode() is "void", I am not sure how else to return an
error. the problem with this approach of course is that it will still
crash the caller, unless they have proper exception handling in place.

Closes: jbeder#459
@anarcat
Copy link

anarcat commented Apr 26, 2017

please review the proposed fix in #489. thanks!

@lamby
Copy link

lamby commented Jul 11, 2017

Hi, any update on this? :)

@hobbes1069
Copy link

Ping

TedLyngmo pushed a commit to TedLyngmo/yaml-cpp that referenced this issue Feb 5, 2020
simply set a hardcoded recursion limit to 2000 (inspired by Python's)
to avoid infinitely recursing into arbitrary data structures

assert() the depth. unsure if this is the right approach, but given
that HandleNode() is "void", I am not sure how else to return an
error. the problem with this approach of course is that it will still
crash the caller, unless they have proper exception handling in place.

Closes: jbeder#459
TedLyngmo pushed a commit to TedLyngmo/yaml-cpp that referenced this issue Feb 5, 2020
simply set a hardcoded recursion limit to 2000 (inspired by Python's)
to avoid infinitely recursing into arbitrary data structures

assert() the depth. unsure if this is the right approach, but given
that HandleNode() is "void", I am not sure how else to return an
error. the problem with this approach of course is that it will still
crash the caller, unless they have proper exception handling in place.

Closes: jbeder#459
TedLyngmo pushed a commit to TedLyngmo/yaml-cpp that referenced this issue Feb 5, 2020
simply set a hardcoded recursion limit to 2000 (inspired by Python's)
to avoid infinitely recursing into arbitrary data structures

assert() the depth. unsure if this is the right approach, but given
that HandleNode() is "void", I am not sure how else to return an
error. the problem with this approach of course is that it will still
crash the caller, unless they have proper exception handling in place.

Closes: jbeder#459
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants