[Bug 1775776] Re: GNU bc crashes on some inputs
Eduardo dos Santos Barretto
1775776 at bugs.launchpad.net
Tue Jun 11 19:20:06 UTC 2019
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bc in Ubuntu.
https://bugs.launchpad.net/bugs/1775776
Title:
GNU bc crashes on some inputs
Status in bc package in Ubuntu:
New
Status in bc package in Debian:
New
Bug description:
(We haven't found ways to report directly to GNU bc maintainers
therefore we report here; there are other crashes however, since I'm
not familiar with launchpad I only report two relevant in this thread)
We fuzzed GNU bc 1.07 (1.07.1 also affected) and found 2 related
crashes when interpreting some input files (test_01.input.txt and
test_02.input.txt) with "bc < input_file", the gdb backtraces (also
attached as "*.gdb.txt") are as follows:
(test_01.gdb.txt)
Reading symbols from ../../../../bc-1.07-orig/install/bin/bc...done.
Starting program: /home/hongxu/FOT/test_c/bc-1.07-orig/install/bin/bc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(standard_in) 13: syntax error
Runtime error (func=(main), adr=2): Function asanerange2_ not defined.
(standard_in) 15: Return outside of a function.
(standard_in) 19: Return outside of a function.
Runtime error (func=(main), adr=34): Parameter type mismatch, parameter cend.
Program received signal SIGSEGV, Segmentation fault.
0x000055555555de73 in process_params (progctr=0x555555769340 <pc>, func=0x1) at storage.c:1004
1004 if ((ch == '0') && params->av_name > 0)
#0 0x000055555555de73 in process_params (progctr=0x555555769340 <pc>, func=0x1) at storage.c:1004
#1 0x000055555555a7b4 in execute () at execute.c:157
#2 0x000055555555e6ee in run_code () at util.c:295
#3 0x0000555555555f23 in yyparse () at ../../bc/bc.y:134
#4 0x000055555555579a in main (argc=0x1, argv=0x7fffffffbcc8) at main.c:260
(test_02.gdb.txt)
Reading symbols from ../../../../bc-1.07-orig/install/bin/bc...done.
Starting program: /home/hongxu/FOT/test_c/bc-1.07-orig/install/bin/bc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(standard_in) 48: syntax error
(standard_in) 49: syntax error
(standard_in) 51: syntax error
(standard_in) 51: syntax error
Runtime error (func=carccosh, adr=51): Parameter type mismatch parameter b__.
Program received signal SIGSEGV, Segmentation fault.
0x000055555555defd in process_params (progctr=0x555555769340 <pc>, func=0x2) at storage.c:1015
1015 if ((ch == '1') && (params->av_name < 0))
#0 0x000055555555defd in process_params (progctr=0x555555769340 <pc>, func=0x2) at storage.c:1015
#1 0x000055555555a7b4 in execute () at execute.c:157
#2 0x000055555555e6ee in run_code () at util.c:295
#3 0x0000555555555f23 in yyparse () at ../../bc/bc.y:134
#4 0x000055555555579a in main (argc=0x1, argv=0x7fffffffbcc8) at main.c:260
We can see that both errors are inside `process_params` at the branch
condition checking sites: lines 1004 and lines 1015, which correspond
to heap overflows according to AddressSanitizer.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: bc 1.07.1-2
ProcVersionSignature: Ubuntu 4.15.0-23.25-generic 4.15.18
Uname: Linux 4.15.0-23-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: LXQt
Date: Fri Jun 8 14:42:03 2018
InstallationDate: Installed on 2016-03-04 (825 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: bc
UpgradeStatus: Upgraded to bionic on 2018-05-13 (25 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bc/+bug/1775776/+subscriptions
More information about the foundations-bugs
mailing list