Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) () #660

Open
E4ck opened this Issue Jan 14, 2019 · 6 comments

Comments

Projects
None yet
4 participants
@E4ck
Copy link

E4ck commented Jan 14, 2019

Stack Overflow in SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()

position:code

poc

To reproduce: ./parse < crash0

gdb:
Program received signal SIGSEGV, Segmentation fault.
0x0807e61d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()

ASAN:

ASAN:DEADLYSIGNAL
=================================================================
==9579==ERROR: AddressSanitizer: stack-overflow on address 0xbf6a8fc0 (pc 0x0814e3e3 bp 0xbf6a93e8 sp 0xbf6a8fb0 T0)
    #0 0x814e3e2  (/home/eack/yaml-cpp/build2/util/parse+0x814e3e2)
    #1 0x816fde8  (/home/eack/yaml-cpp/build2/util/parse+0x816fde8)
    #2 0x818f283  (/home/eack/yaml-cpp/build2/util/parse+0x818f283)
    #3 0x81d41b8  (/home/eack/yaml-cpp/build2/util/parse+0x81d41b8)
    #4 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #5 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #6 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #7 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #8 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #9 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #10 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #11 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #12 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #13 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #14 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #15 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    ......
    #243 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #244 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #245 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #246 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)
    #247 0x81d47fc  (/home/eack/yaml-cpp/build2/util/parse+0x81d47fc)
    #248 0x81d966a  (/home/eack/yaml-cpp/build2/util/parse+0x81d966a)
    #249 0x81d4528  (/home/eack/yaml-cpp/build2/util/parse+0x81d4528)
    #250 0x81dfdc9  (/home/eack/yaml-cpp/build2/util/parse+0x81dfdc9)

SUMMARY: AddressSanitizer: stack-overflow (/home/eack/yaml-cpp/build2/util/parse+0x814e3e2) 
==9579==ABORTING
@wcventure

This comment has been minimized.

Copy link

wcventure commented Jan 17, 2019

CVE-2019-6292

@E4ck

This comment has been minimized.

Copy link
Author

E4ck commented Feb 14, 2019

CVE-2019-6285

@iamleot

This comment has been minimized.

Copy link

iamleot commented Mar 8, 2019

It seems that CVE-2019-6285 is a duplicate of CVE-2018-20710 (same description and same references) and - maybe - CVE-2019-6285 and CVE-2018-20710 are a duplicate of CVE-2019-6292. If that's the case @E4ck, @wcventure, can you please update the status of the CVE in order to avoid duplicates?

Thank you!

@iamleot

This comment has been minimized.

Copy link

iamleot commented Mar 8, 2019

...and, if CVE-2019-6285 is a duplicate of CVE-2019-6292 then this issue is probably a duplicate of #657.

@sgayou

This comment has been minimized.

Copy link

sgayou commented Mar 8, 2019

Yeah, this does look like a dupe after a high-level look. Here's my gdb backtrace with symbols:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
#1  0x00007ffff7b4db07 in malloc () from /lib64/libc.so.6
#2  0x00007ffff7ec3b9c in operator new (sz=48) at ../../../../libstdc++-v3/libsupc++/new_op.cc:50
#3  0x000000000043fd71 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >::allocate(unsigned long, void const*) ()
#4  0x000000000043fce1 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > > >::allocate(std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >&, unsigned long) ()
... # truncated here a bit, lots of templates.
#10 0x000000000043e733 in std::set<std::shared_ptr<YAML::detail::node>, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::insert(std::shared_ptr<YAML::detail::node> const&) ()
#11 0x000000000043e2a8 in YAML::detail::memory::create_node() ()
#12 0x0000000000435cbe in YAML::detail::memory_holder::create_node() ()
#13 0x000000000043911a in YAML::NodeBuilder::Push(YAML::Mark const&, unsigned long) ()
#14 0x0000000000438fbb in YAML::NodeBuilder::OnSequenceStart(YAML::Mark const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, YAML::EmitterStyle::value) ()
#15 0x000000000042b987 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#16 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#17 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#18 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#19 0x000000000042c1fd in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#20 0x000000000042bd5e in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) ()
#21 0x000000000042b9a0 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#22 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#23 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#24 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
@iamleot

This comment has been minimized.

Copy link

iamleot commented Mar 9, 2019

Thanks @sgayou!

I have just requested to mark CVE-2018-20710 as duplicate to CVE-2019-6285 via CVE Request web form and I will share any updates about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.