## Description GNU Bison contains a critical memory corruption vulnerability in its code scanner buffer management system. When processing malicious grammar files, the program triggers a double free error in the `code_free` function, leading to heap corruption and program crash. This type of vulnerability has high exploitability potential and could potentially be leveraged for arbitrary code execution.
## Technical Analysis ### Stack Trace ``` #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7e0f677 in __libc_message (action=do_abort, fmt="double free or corruption (out)") #6 0x00007ffff7e26cfc in malloc_printerr (str="double free or corruption (out)") #7 0x00007ffff7e28e70 in _int_free (av=0x7ffff7fa0c80 <main_arena>, p=0x55555587c480, have_lock=<optimized out>) #8 0x00007ffff7e2b453 in __GI___libc_free (mem=<optimized out>) #9 0x00005555555f8ffa in code_free (ptr=0x2781c5) at src/scan-code.c:2597 #10 code__delete_buffer (b=0x555555878f40) at src/scan-code.c:2086 #11 translate_action (self=0x555555886d38, sc_context=<optimized out>) at src/scan-code.l:769 #12 0x00005555555f8ffa in code_props_translate_code (self=0x555555886d38) #13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002 #14 reader (gram=<optimized out>) at src/reader.c:772 #15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118 ``` ### Root Cause Analysis The vulnerability manifests as a classic double free error in the heap management system. The issue occurs in Bison's code scanner buffer management: **Error Location**: `src/scan-code.c:2597` in the `code_free` function **Trigger Location**: `src/scan-code.c:2086` in the `code__delete_buffer` function **Error Message**: `"double free or corruption (out)"` #### Memory Lifecycle Issue 1. **Buffer Creation**: Code scanning buffers are created during `translate_action` 2. **Double Release**: The same memory block is freed multiple times through `code_free()` 3. **Heap Corruption**: glibc detects heap structure corruption and aborts ### Call Chain Analysis 1. `main()` → `reader()` → `check_and_convert_grammar()` 2. `code_props_translate_code()` → `translate_action()` (src/scan-code.l:769) 3. `code__delete_buffer()` (src/scan-code.c:2086) 4. `code_free()` (src/scan-code.c:2597) 5. **Double free detected** → malloc_printerr → abort() ## Proof of Concept The vulnerability can be reproduced using the provided POC file: **File**: `POC_bison_memory_corruption_doublefree` [ https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link ] **Reproduction Steps**: 1. Execute: `bison POC_bison_memory_corruption_doublefree` 2. Observe the double free error and program crash 3. Optional verification with Valgrind: `valgrind bison POC_bison_memory_corruption_doublefree` **Expected Output**: ``` out/default/crashes/id:000002,sig:06,src:003081,time:18010535,execs:3380102,op:havoc,rep:3__dim2:109.196-200: error: invalid reference: '$lalr' 109 | ...$$$$$$$$$$lalr$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$... | ^~~~~ out/default/crashes/id:000002,sig:06,src:003081,time:18010535,execs:3380102,op:havoc,rep:3__dim2:109.3-610: note: symbol not found in production: lalr 109 | | exp "*" exp { $$ = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$... | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ double free or corruption (out) Aborted (core dumped) ``` ## Vulnerability Confirmation This vulnerability has been confirmed through: - GDB stack trace analysis showing distinct crash pattern from assertion failures - Heap corruption detection by glibc malloc implementation - Different call path (`code_free` vs `obprintf`) distinguishing it from other crashes - Reproducible memory corruption symptoms The double free error represents a critical memory safety issue in Bison's buffer management system, distinct from the obprintf assertion failure vulnerability. This demonstrates poor resource lifecycle management that could potentially be exploited by attackers with carefully crafted input files. ### Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)
