Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

E4ck · 2019-01-14T07:58:28Z

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()

position：code

To reproduce: ./parse < crash0

gdb:
Program received signal SIGSEGV, Segmentation fault.
0x0807e61d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()

ASAN:

ASAN:DEADLYSIGNAL
=================================================================
==9579==ERROR: AddressSanitizer: stack-overflow on address 0xbf6a8fc0 (pc 0x0814e3e3 bp 0xbf6a93e8 sp 0xbf6a8fb0 T0)
    #0 0x814e3e2  (/home/eack/yaml-cpp/build2/util/parse+0x814e3e2)
    #1 0x816fde8  (/home/eack/yaml-cpp/build2/util/parse+0x816fde8)
    #2 0x818f283  (/home/eack/yaml-cpp/build2/util/parse+0x818f283)
    #3 0x81d41b8  (/home/eack/yaml-cpp/build2/util/parse+0x81d41b8)
    #4 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #5 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #6 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #7 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #8 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #9 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #10 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #11 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #12 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #13 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #14 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #15 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    ......
    #243 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #244 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #245 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #246 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #247 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #248 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #249 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #250 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)

SUMMARY: AddressSanitizer: stack-overflow (/home/eack/yaml-cpp/build2/util/parse+0x814e3e2) 
==9579==ABORTING

The text was updated successfully, but these errors were encountered:

wcventure · 2019-01-17T12:50:02Z

CVE-2019-6292

E4ck · 2019-02-14T06:58:23Z

CVE-2019-6285

iamleot · 2019-03-08T13:35:20Z

It seems that CVE-2019-6285 is a duplicate of CVE-2018-20710 (same description and same references) and - maybe - CVE-2019-6285 and CVE-2018-20710 are a duplicate of CVE-2019-6292. If that's the case @E4ck, @wcventure, can you please update the status of the CVE in order to avoid duplicates?

Thank you!

iamleot · 2019-03-08T13:36:43Z

...and, if CVE-2019-6285 is a duplicate of CVE-2019-6292 then this issue is probably a duplicate of #657.

sgayou · 2019-03-08T17:36:41Z

Yeah, this does look like a dupe after a high-level look. Here's my gdb backtrace with symbols:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
#1  0x00007ffff7b4db07 in malloc () from /lib64/libc.so.6
#2  0x00007ffff7ec3b9c in operator new (sz=48) at ../../../../libstdc++-v3/libsupc++/new_op.cc:50
#3  0x000000000043fd71 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >::allocate(unsigned long, void const*) ()
#4  0x000000000043fce1 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > > >::allocate(std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >&, unsigned long) ()
... # truncated here a bit, lots of templates.
#10 0x000000000043e733 in std::set<std::shared_ptr<YAML::detail::node>, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::insert(std::shared_ptr<YAML::detail::node> const&) ()
#11 0x000000000043e2a8 in YAML::detail::memory::create_node() ()
#12 0x0000000000435cbe in YAML::detail::memory_holder::create_node() ()
#13 0x000000000043911a in YAML::NodeBuilder::Push(YAML::Mark const&, unsigned long) ()
#14 0x0000000000438fbb in YAML::NodeBuilder::OnSequenceStart(YAML::Mark const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, YAML::EmitterStyle::value) ()
#15 0x000000000042b987 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#16 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#17 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#18 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#19 0x000000000042c1fd in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#20 0x000000000042bd5e in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) ()
#21 0x000000000042b9a0 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#22 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#23 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#24 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()

iamleot · 2019-03-09T11:16:17Z

Thanks @sgayou!

I have just requested to mark CVE-2018-20710 as duplicate to CVE-2019-6285 via CVE Request web form and I will share any updates about that.

iamleot · 2019-04-18T09:52:20Z

Leonardo Taccari writes:

[...] I have just requested to mark CVE-2018-20710 as duplicate to CVE-2019-6285 via [CVE Request web form](https://cveform.mitre.org/) and I will share any updates about that. [...]

JFTR, CVE-2018-20710 is now rejected and marked as duplicated to CVE-2019-6285.

NicoleG25 · 2019-12-26T13:59:27Z

Is there any fix to the issue though? Thanks :)

AlanGriffiths mentioned this issue Jan 20, 2020

Fix stack overflow #807

Merged

jbeder closed this as completed in #807 Apr 9, 2020

LocutusOfBorg mentioned this issue May 22, 2020

Recursive Stack Frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode #657

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

E4ck commented Jan 14, 2019

wcventure commented Jan 17, 2019

E4ck commented Feb 14, 2019

iamleot commented Mar 8, 2019

iamleot commented Mar 8, 2019

sgayou commented Mar 8, 2019

iamleot commented Mar 9, 2019

iamleot commented Apr 18, 2019 via email

NicoleG25 commented Dec 26, 2019

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

Comments

E4ck commented Jan 14, 2019

wcventure commented Jan 17, 2019

E4ck commented Feb 14, 2019

iamleot commented Mar 8, 2019

iamleot commented Mar 8, 2019

sgayou commented Mar 8, 2019

iamleot commented Mar 9, 2019

iamleot commented Apr 18, 2019 via email

NicoleG25 commented Dec 26, 2019