Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-based buffer overflow in the yylex() function #36

Closed
fcambus opened this issue Dec 10, 2019 · 5 comments
Closed

Heap-based buffer overflow in the yylex() function #36

fcambus opened this issue Dec 10, 2019 · 5 comments

Comments

@fcambus
Copy link

fcambus commented Dec 10, 2019

Hi,

While fuzzing yabasic 2.86.1 with Honggfuzz, I found a heap-based buffer overflow in the yylex() function, in flex.c.

Attaching a reproducer (gzipped so GitHub accepts it): test01.yab.gz

Issue can be reproduced by running:

yabasic test01.yab
=================================================================
==20945==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000223 at pc 0x0000005a1a77 bp 0x7ffd03025cb0 sp 0x7ffd03025ca8
WRITE of size 1 at 0x603000000223 thread T0
    #0 0x5a1a76 in yylex /home/fcambus/yabasic-2.86.1/flex.c:3100:27
    #1 0x5aad98 in yyparse /home/fcambus/yabasic-2.86.1/bison.c:3338:16
    #2 0x4f9497 in main /home/fcambus/yabasic-2.86.1/main.c:293:6
    #3 0x7f5abf9cab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #4 0x41da49 in _start (/home/fcambus/yabasic-2.86.1/yabasic+0x41da49)

Address 0x603000000223 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/yabasic-2.86.1/flex.c:3100:27 in yylex
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 07 fa fa 00 00 00 04 fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
  0x0c067fff8020: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff8030: fa fa 00 00 01 fa fa fa 00 00 00 05 fa fa fa fa
=>0x0c067fff8040: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20945==ABORTING
@marcIhm
Copy link
Owner

marcIhm commented Dec 10, 2019

Confirmed. I see the same error (and some more warnings too ...). Will fix this. Please stand by.

@fcambus
Copy link
Author

fcambus commented Dec 11, 2019

This issue has been assigned CVE-2019-19720.

@marcIhm
Copy link
Owner

marcIhm commented Dec 12, 2019

Fixed with 2.86.2.
Thanx for pointing me at address-sanitizer !

@fcambus
Copy link
Author

fcambus commented Dec 13, 2019

Thanks for the fix, 2.86.2 solves the issue for me as well.

In the future, it would be nice if you could mention the CVE in the ChangeLog and in the release notes, as it helps distribution packagers who track the CVE database to figure out which issues were fixed by a particular release.

@fcambus fcambus closed this as completed Dec 13, 2019
@marcIhm
Copy link
Owner

marcIhm commented Dec 15, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants