Date: Sat, 09 Jul 2022 20:21:22 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 265119] bmake ParseDependency() can read off the end of its input buffer Message-ID: <bug-265119-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265119 Bug ID: 265119 Summary: bmake ParseDependency() can read off the end of its input buffer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 235154 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D235154&action= =3Dedit A makefile filled with garbage that illustrates a bug in bmake. In this code in bmake's parse.c: static GNodeType ParseDependencyOp(char **pp) { if (**pp =3D=3D '!') return (*pp)++, OP_FORCE; if ((*pp)[1] =3D=3D ':') return *pp +=3D 2, OP_DOUBLEDEP; else return (*pp)++, OP_DEPENDS; } If bmake's parser has reached the end of the input, so that **pp =3D=3D '\0', then it executes the last line, incrementing *pp and causing the parser to venture into the unknown. I'm using a recent FreeBSD-current, on amd64, and /usr/src/contrib/bmake says _MAKE_VERSION=3D20220208 You can see the problem by compiling bmake with -fsanitize=3Daddress, and running it against the attached (broken) Makefile: % ./bmake -f bmake4b.out make: "bmake4b.out" line 2: Invalid line type make: "bmake4b.out" line 4: Unclosed variable "" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D92690=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008d34 at pc 0x0000011866c5 bp 0x7fffffffe200 sp 0x7fffffffe1f8 READ of size 1 at 0x602000008d34 thread T0 #0 0x11866c4 in ParseDependencyOp contrib/bmake/parse.c:1117:6 #1 0x11858fd in ParseDependency contrib/bmake/parse.c:1480:26 #2 0x1182685 in ParseDependencyLine contrib/bmake/parse.c:2821:2 #3 0x117b780 in ParseLine contrib/bmake/parse.c:2872:2 #4 0x117aa02 in Parse_File contrib/bmake/parse.c:2897:4 #5 0x115fe72 in ReadMakefile contrib/bmake/main.c:1709:3 #6 0x115f74f in ReadAllMakefiles contrib/bmake/main.c:1300:8 #7 0x11574fd in main_ReadFiles contrib/bmake/main.c:1516:3 #8 0x1156946 in main contrib/bmake/main.c:1645:2 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265119-227>