GNU Bison obprintf.c Assertion Failure #114
Description
Description
GNU Bison contains a critical assertion failure in the __obstack_vprintf_internal function within obprintf.c:158. When processing specially crafted grammar files containing malformed $variable references, the program triggers an assertion failure that causes immediate program termination with SIGABRT.
Technical Analysis
Stack Trace
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737351530368) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737351530368, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7dc8476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7dae7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7dae71b in __assert_fail_base (fmt=0x7ffff7f63130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=0x7ffff7f5f416 "obprintf.c", line=158, function=<optimized out>) at ./assert/assert.c:94
#6 0x00007ffff7dbfe96 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7f63c08 "size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)", file=file@entry=0x7ffff7f5f416 "obprintf.c", line=line@entry=158, function=function@entry=0x7ffff7f67740 <__PRETTY_FUNCTION__.1> "__obstack_vprintf_internal") at ./assert/assert.c:103
#7 0x00007ffff7e0e81a in __obstack_vprintf_internal (obstack=0x5555558656c0 <obstack_for_string>, format=0x55555555fab8 "]b4_lhs_value(orig %d, ", args=args@entry=0x7fffffff8200, mode_flags=2) at ./libio/obprintf.c:158
#8 0x00007ffff7ebc353 in __obstack_printf_chk (obstack=<optimized out>, flag=<optimized out>, format=<optimized out>) at ./debug/obprintf_chk.c:34
#9 0x00005555555f8c8b in handle_action_dollar (rule=0x555555887510, text=<optimized out>, dollar_loc=<optimized out>) at src/scan-code.l:661
#10 code_lex (self=0x5555558875a8, sc_context=<optimized out>) at src/scan-code.l:171
#11 translate_action (self=0x5555558875a8, sc_context=<optimized out>) at src/scan-code.l:768
#12 0x00005555555f8c8b in code_props_translate_code (self=0x5555558875a8)
#13 0x00005555555f0ffc in check_and_convert_grammar () at src/reader.c:1002
#14 reader (gram=<optimized out>) at src/reader.c:772
#15 0x00005555555a4f52 in main (argc=<optimized out>, argv=0x7fffffffdce8) at src/main.c:118
Root Cause Analysis
The vulnerability exists in Bison's obstack (object stack) buffer management system. During grammar processing, the handle_action_dollar function calls obstack_printf to format output strings. The assertion failure occurs when the obstack's internal state becomes inconsistent:
Failed Assertion: size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)
This indicates that the difference between _IO_write_end and _IO_write_base pointers does not match the expected buffer size, suggesting corruption in the obstack's internal pointer management.
Call Chain Analysis
main()→reader()→check_and_convert_grammar()code_props_translate_code()→translate_action()code_lex()→handle_action_dollar()(src/scan-code.l:661)__obstack_printf_chk()→__obstack_vprintf_internal()- Assertion failure at obprintf.c:158
Proof of Concept
The vulnerability can be triggered using the provided POC file:
File: POC_bison_obprintf_assertion_failure[https://drive.google.com/file/d/1iId0E6HVYNwqLsS5nARQexj5TQqzcnej/view?usp=drive_link]
Reproduction Steps:
- Execute:
bison POC_bison_obprintf_assertion_failure - Observe the assertion failure and program crash
- Verify SIGABRT signal is generated
Expected Output:
bison: obprintf.c:158: __obstack_vprintf_internal: Assertion `size == (new_f.ofile.file.file._IO_write_end - new_f.ofile.file.file._IO_write_base)' failed.
Aborted (core dumped)
Vulnerability Confirmation
This vulnerability has been confirmed through:
- GDB stack trace analysis showing consistent crash location
- Multiple POC files triggering identical assertion failures
- Reproducible crash across different input variations
The assertion failure demonstrates a fundamental buffer management issue in Bison's core processing logic, making this a legitimate security vulnerability affecting program reliability.
Credit
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory)