Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow src/ast/lex_conf.cc:4019 in re2c::Scanner::lex_conf_number() #231

Closed
fgeek opened this issue Nov 29, 2018 · 2 comments

Comments

@fgeek
Copy link

commented Nov 29, 2018

Hello. It's me again after ~1358 million executions :)

Tested commit: 15c5c7b
Tools: american fuzzy lop 2.52b, afl-utils
re2c-2018-11-29.txt

=================================================================
==23529==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e900 at pc 0x55e70e224897 bp 0x7ffdac69ab70 sp 0x7ffdac69ab68
READ of size 1 at 0x62500000e900 thread T0
    #0 0x55e70e224896 in re2c::Scanner::lex_conf_number() src/ast/lex_conf.cc:4019
    #1 0x55e70e235e9e in re2c::Scanner::lex_conf_bool() ../src/ast/lex_conf.re:251
    #2 0x55e70e235e9e in re2c::Scanner::lex_conf(re2c::Opt&) ../src/ast/lex_conf.re:148
    #3 0x55e70e211424 in yyparse(re2c::context_t&) src/ast/parser.ypp:74
    #4 0x55e70e2154d3 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #5 0x55e70e135666 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #6 0x55e70df2ba15 in main src/main.cc:31
    #7 0x7f417966f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55e70df2caa9 in _start (/home/afl/builds/re2c/15c5c7b41fe7198c03bc32e5968a652d336f76bc/bin/re2c+0x1eaa9)

0x62500000e900 is located 0 bytes to the right of 8192-byte region [0x62500000c900,0x62500000e900)
allocated by thread T0 here:
    #0 0x7f417a34dd70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x55e70e1cfc6b in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
    #2 0x55e70e1eea6b in re2c::Scanner::echo(re2c::Output&) src/ast/lex.cc:89
    #3 0x55e70e1354ba in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:144
    #4 0x55e70df2ba15 in main src/main.cc:31
    #5 0x7f417966f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex_conf.cc:4019 in re2c::Scanner::lex_conf_number()
Shadow bytes around the buggy address:
  0x0c4a7fff9cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff9d20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23529==ABORTING

skvadrik added a commit that referenced this issue Nov 29, 2018

Fixed read past the end of buffer in configuration parser.
This fixes bug #231.
Found by american fuzzy lop (thanks to Henri Salo).
Also reported by re2c -W (shame on me for not using it all this time!).
@skvadrik

This comment has been minimized.

Copy link
Owner

commented Nov 29, 2018

Alas! This one was even reported by re2c -W, if I only cared to enable RE2C own warnings:

re2c: warning: line 269: control flow is undefined for strings that match 
        '[\x0-\x2C\x2E-\x2F\x3A-\xFF]'
        '\x2D [\x0-\x30\x3A-\xFF]'
, use default rule '*' [-Wundefined-control-flow]

Thanks for reporting. Pushed a fix: 4b511e5 .

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 3, 2018

Fix confirmed.

@fgeek fgeek closed this Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.