## Description GNU Bison contains a critical assertion failure in the `__obstack_vprintf_internal` function within `obprintf.c:158`. When processing specially crafted grammar files containing malformed `$variable` references, the program triggers an assertion failure that causes immediate program termination with SIGABRT.
## Technical Analysis ### Stack Trace ``` #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7dae71b in __assert_fail_base (fmt=0x7ffff7f63130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=0x7ffff7f5f416 "obprintf.c", line=158, function=<optimized out>) at ./assert/assert.c:94 #6 0x00007ffff7dbfe96 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=file@entry=0x7ffff7f5f416 "obprintf.c", line=line@entry=158, function=function@entry=0x7ffff7f67740 <__PRETTY_FUNCTION__.1> "__obstack_vprintf_internal") at ./assert/assert.c:103 #7 0x00007ffff7e0e81a in __obstack_vprintf_internal (obstack=0x5555558656c0 <obstack_for_string>, format=0x55555555fab8 "]b4_lhs_value(orig %d, ", args=args@entry=0x7fffffff8200, mode_flags=2) at ./libio/obprintf.c:158 #8 0x00007ffff7ebc353 in __obstack_printf_chk (obstack=<optimized out>, flag=<optimized out>, format=<optimized out>) at ./debug/obprintf_chk.c:34 #9 0x00005555555f8c8b in handle_action_dollar (rule=0x555555887510, text=<optimized out>, dollar_loc=<optimized out>) at src/scan-code.l:661 #10 code_lex (self=0x5555558875a8, sc_context=<optimized out>) at src/scan-code.l:171 #11 translate_action (self=0x5555558875a8, sc_context=<optimized out>) at src/scan-code.l:768 #12 0x00005555555f8c8b in code_props_translate_code (self=0x5555558875a8) #13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002 #14 reader (gram=<optimized out>) at src/reader.c:772 #15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118 ``` ### Root Cause Analysis The vulnerability exists in Bison's obstack (object stack) buffer management system. During grammar processing, the `handle_action_dollar` function calls `obstack_printf` to format output strings. The assertion failure occurs when the obstack's internal state becomes inconsistent: **Failed Assertion**: `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)` This indicates that the difference between `_IO_write_end` and `_IO_write_base` pointers does not match the expected buffer size, suggesting corruption in the obstack's internal pointer management. ### Call Chain Analysis 1. `main()` → `reader()` → `check_and_convert_grammar()` 2. `code_props_translate_code()` → `translate_action()` 3. `code_lex()` → `handle_action_dollar()` (src/scan-code.l:661) 4. `__obstack_printf_chk()` → `__obstack_vprintf_internal()` 5. **Assertion failure** at obprintf.c:158 ## Proof of Concept The vulnerability can be triggered using the provided POC file: **File**: `POC_bison_obprintf_assertion_failure`[ https://drive.google.com/file/d/1iId0E6HVYNwqLsS5nARQexj5TQqzcnej/view?usp=drive_link ] **Reproduction Steps**: 1. Execute: `bison POC_bison_obprintf_assertion_failure` 2. Observe the assertion failure and program crash 3. Verify SIGABRT signal is generated **Expected Output**: ``` bison: obprintf.c:158: __obstack_vprintf_internal: Assertion `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)' failed. Aborted (core dumped) ``` ## Vulnerability Confirmation This vulnerability has been confirmed through: - GDB stack trace analysis showing consistent crash location - Multiple POC files triggering identical assertion failures - Reproducible crash across different input variations The assertion failure demonstrates a fundamental buffer management issue in Bison's core processing logic, making this a legitimate security vulnerability affecting program reliability. ### Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)
