GNU Bison Memory Corruption Vulnerability (Double Free) #115
Description
Description
GNU Bison contains a critical memory corruption vulnerability in its code scanner buffer management system. When processing malicious grammar files, the program triggers a double free error in the code_free function, leading to heap corruption and program crash. This type of vulnerability has high exploitability potential and could potentially be leveraged for arbitrary code execution.
Technical Analysis
Stack Trace
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7e0f677 in __libc_message (action=do_abort, fmt="double free or corruption (out)")
#6 0x00007ffff7e26cfc in malloc_printerr (str="double free or corruption (out)")
#7 0x00007ffff7e28e70 in _int_free (av=0x7ffff7fa0c80 <main_arena>, p=0x55555587c480, have_lock=<optimized out>)
#8 0x00007ffff7e2b453 in __GI___libc_free (mem=<optimized out>)
#9 0x00005555555f8ffa in code_free (ptr=0x2781c5) at src/scan-code.c:2597
#10 code__delete_buffer (b=0x555555878f40) at src/scan-code.c:2086
#11 translate_action (self=0x555555886d38, sc_context=<optimized out>) at src/scan-code.l:769
#12 0x00005555555f8ffa in code_props_translate_code (self=0x555555886d38)
#13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002
#14 reader (gram=<optimized out>) at src/reader.c:772
#15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118
Root Cause Analysis
The vulnerability manifests as a classic double free error in the heap management system. The issue occurs in Bison's code scanner buffer management:
Error Location: src/scan-code.c:2597 in the code_free function
Trigger Location: src/scan-code.c:2086 in the code__delete_buffer function
Error Message: "double free or corruption (out)"
Memory Lifecycle Issue
- Buffer Creation: Code scanning buffers are created during
translate_action - Double Release: The same memory block is freed multiple times through
code_free() - Heap Corruption: glibc detects heap structure corruption and aborts
Call Chain Analysis
main()→reader()→check_and_convert_grammar()code_props_translate_code()→translate_action()(src/scan-code.l:769)code__delete_buffer()(src/scan-code.c:2086)code_free()(src/scan-code.c:2597)- Double free detected → malloc_printerr → abort()
Proof of Concept
The vulnerability can be reproduced using the provided POC file:
File: POC_bison_memory_corruption_doublefree [https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link]
Reproduction Steps:
- Execute:
bison POC_bison_memory_corruption_doublefree - Observe the double free error and program crash
- Optional verification with Valgrind:
valgrind bison POC_bison_memory_corruption_doublefree
Expected Output:
out/default/crashes/id:000002,sig:06,src:003081,time:18010535,execs:3380102,op:havoc,rep:3__dim2:109.196-200: error: invalid reference: '$lalr'
109 | ...$$$$$$$$$$lalr$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
| ^~~~~
out/default/crashes/id:000002,sig:06,src:003081,time:18010535,execs:3380102,op:havoc,rep:3__dim2:109.3-610: note: symbol not found in production: lalr
109 | | exp "*" exp { $$ = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
double free or corruption (out)
Aborted (core dumped)
Vulnerability Confirmation
This vulnerability has been confirmed through:
- GDB stack trace analysis showing distinct crash pattern from assertion failures
- Heap corruption detection by glibc malloc implementation
- Different call path (
code_freevsobprintf) distinguishing it from other crashes - Reproducible memory corruption symptoms
The double free error represents a critical memory safety issue in Bison's buffer management system, distinct from the obprintf assertion failure vulnerability. This demonstrates poor resource lifecycle management that could potentially be exploited by attackers with carefully crafted input files.
Credit
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory)