Date: Sun, 13 Jul 2008 20:17:58 GMT From: Bruce Cran <bruce@cran.org.uk> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/125585: yacc(1) - out of bounds stack access bug Message-ID: <200807132017.m6DKHvTB069901@www.freebsd.org> Resent-Message-ID: <200807132020.m6DKK2SA099908@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125585 >Category: bin >Synopsis: yacc(1) - out of bounds stack access bug >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 13 20:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Bruce Cran >Release: 8.0-CURRENT >Organization: >Environment: FreeBSD mac.draftnet 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri Jun 13 04:16:23 BST 2008 brucec@mac.draftnet:/usr/obj/usr/src/sys/GENERIC powerpc >Description: Otto Moerbeek found a bug in OpenBSD's yacc(1) (http://undeadly.org/cgi?action=article&sid=20080708155228) which looks like it might be present in FreeBSD's version too. From the cvs log: Modified files: usr.bin/yacc : skeleton.c Log message: Fix an venerable bug: if we're reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action. Detected by my new malloc, experienced by sturm@ on sparc64; ok deraadt@ The diff in OpenBSD can be seen at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807132017.m6DKHvTB069901>