GNU Bison obprintf.c Assertion Failure Vulnerability (Variant)

[err2zero]

Vulnerability Overview

Software: GNU Bison
Vulnerability Type: Assertion Failure leading to Denial of Service

Description

This report documents a variant of the GNU Bison obprintf.c assertion failure vulnerability. this variant demonstrates different input conditions that trigger the identical assertion failure, confirming the widespread nature of the buffer management issue in Bison's obstack implementation.

Technical Analysis

Stack Trace

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7dae71b in __assert_fail_base (fmt=0x7ffff7f63130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=0x7ffff7f5f416 "obprintf.c", line=158, function=<optimized out>) at ./assert/assert.c:94
#6  0x00007ffff7dbfe96 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=file@entry=0x7ffff7f5f416 "obprintf.c", line=line@entry=158, function=function@entry=0x7ffff7f67740 <__PRETTY_FUNCTION__.1> "__obstack_vprintf_internal") at ./assert/assert.c:103
#7  0x00007ffff7e0e81a in __obstack_vprintf_internal (obstack=0x5555558656c0 <obstack_for_string>, format=0x55555555fab8 "]b4_lhs_value(orig %d, ", args=args@entry=0x7fffffff8200, mode_flags=2) at ./libio/obprintf.c:158
#8  0x00007ffff7ebc353 in __obstack_printf_chk (obstack=<optimized out>, flag=<optimized out>, format=<optimized out>) at ./debug/obprintf_chk.c:34
#9  0x00005555555f8c8b in handle_action_dollar (rule=0x555555887bd0, text=<optimized out>, dollar_loc=<optimized out>) at src/scan-code.l:661
#10 code_lex (self=0x555555887c68, sc_context=<optimized out>) at src/scan-code.l:171
#11 translate_action (self=0x555555887c68, sc_context=<optimized out>) at src/scan-code.l:768
#12 0x00005555555f8c8b in code_props_translate_code (self=0x555555887c68)
#13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002
#14 reader (gram=<optimized out>) at src/reader.c:772
#15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118

Variant Analysis

This variant exhibits the identical technical characteristics as the primary obprintf vulnerability:

Identical Assertion: size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)
Same Failure Location: obprintf.c:158 in __obstack_vprintf_internal
Same Call Chain: handle_action_dollar → obstack_printf_chk → assertion failure

Root Cause Confirmation

The identical stack trace confirms that this is the same underlying vulnerability in Bison's obstack buffer management. The fact that different input files can trigger the same assertion failure demonstrates:

1. Systemic Issue: The buffer management problem is not tied to specific input patterns
2. Multiple Trigger Paths: Various grammar constructs can expose the vulnerability
3. Widespread Impact: The vulnerability affects different types of grammar files

Proof of Concept

The vulnerability variant can be triggered using the provided POC file:

File: POC_bison_obprintf_assertion_failure_variant[https://drive.google.com/file/d/1vaT0s1LChBK158jHycNIvedMQ6brdM3k/view?usp=drive_link]

Reproduction Steps:

1. Execute: bison POC_bison_obprintf_assertion_failure_variant
2. Observe the identical assertion failure as the primary vulnerability
3. Verify the same SIGABRT signal generation

Expected Output:

bison: obprintf.c:158: __obstack_vprintf_internal: Assertion `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)' failed.
Aborted (core dumped)

Trigger Mechanism

Despite the different grammar structure, the vulnerability is triggered through the same mechanism:

1. Grammar parsing reaches action code processing
2. handle_action_dollar function processes $variable references
3. Obstack buffer state becomes inconsistent during printf formatting
4. Assertion failure occurs in obprintf.c:158

Credit

Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory)

[carnil]

CVE-2025-8733 appears to have been associated with this and #114

[zhangrf2020]

https://drive.google.com/file/d/1vaT0s1LChBK158jHycNIvedMQ6brdM3k/view?usp=drive_link
The link cannot be opened. Could you upload the POC file here?