[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gawk] out of bounds heap read in yyerror
|
From: |
Hanno Böck |
|
Subject: |
[bug-gawk] out of bounds heap read in yyerror |
|
Date: |
Tue, 22 Sep 2015 10:40:33 +0200 |
Hi,
The current git code of gawk has an out of bounds heap read error. This
can be triggered with the file attached (just three bytes, a newline, a
{ and another newline).
This can be seen with valgrind or address sanitizer.
This is the code piece where this happens (in awkgram.y):
for (; cp != lexptr_begin && *cp != '\n'; --cp)
This was found with american fuzzy lop.
Here's the stack trace from address sanitizer:
==3468==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60c00000bc7f at pc 0x00000051b5dd bp 0x7ffe1d258e30 sp 0x7ffe1d258e28
READ of size 1 at 0x60c00000bc7f thread T0 #0 0x51b5dc in
yyerror /f/awk/gawk/awkgram.y:2292:33 #1 0x4fc9e9 in
yyparse /f/awk/gawk/awkgram.c:4223:7 #2 0x527236 in
parse_program /f/awk/gawk/awkgram.y:2499:8 #3 0x6551d4 in
main /f/awk/gawk/main.c:445:6 #4 0x7f4e3ffdcf9f in
__libc_start_main
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#5 0x43f7d6 in _start (/mnt/ram/gawk/gawk+0x43f7d6)
0x60c00000bc7f is located 1 bytes to the left of 128-byte region
[0x60c00000bc80,0x60c00000bd00) allocated by thread T0 here:
#0 0x4c67a2 in malloc (/mnt/ram/gawk/gawk+0x4c67a2)
#1 0x51cde7 in emalloc_real /f/awk/gawk/./awk.h:1838:17
#2 0x52b46c in nextc /f/awk/gawk/awkgram.y:3024:8
#3 0x4f6546 in yylex /f/awk/gawk/awkgram.y:3290:6
#4 0x4f6546 in yyparse /f/awk/gawk/awkgram.c:1807
#5 0x527236 in parse_program /f/awk/gawk/awkgram.y:2499:8
#6 0x7f4e3ffdcf9f in
__libc_start_main
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
SUMMARY: AddressSanitizer:
heap-buffer-overflow /f/awk/gawk/awkgram.y:2292 yyerror Shadow bytes
around the buggy address: 0x0c187fff9730: fa fa fa fa fa fa fa fa fa fa
fa fa fa fa fa fa 0x0c187fff9740: fa fa fa fa fa fa fa fa fa fa fa fa
fa fa fa fa 0x0c187fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa
fa fa 0x0c187fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97b0: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3468==ABORTING
--
Hanno Böck
https://hboeck.de/
mail/jabber: address@hidden
GPG: BBB51E42
gawk-oob-heap-read-yyerror
Description: Binary data
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-gawk] out of bounds heap read in yyerror,
Hanno Böck <=