From owner-freebsd-bugs@FreeBSD.ORG Sun Jul 13 20:20:03 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 456A11065674 for ; Sun, 13 Jul 2008 20:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1BBE58FC18 for ; Sun, 13 Jul 2008 20:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6DKK3Gx099909 for ; Sun, 13 Jul 2008 20:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6DKK2SA099908; Sun, 13 Jul 2008 20:20:02 GMT (envelope-from gnats) Resent-Date: Sun, 13 Jul 2008 20:20:02 GMT Resent-Message-Id: <200807132020.m6DKK2SA099908@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Bruce Cran Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A7D11065671 for ; Sun, 13 Jul 2008 20:17:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 6323C8FC18 for ; Sun, 13 Jul 2008 20:17:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m6DKHwWo069902 for ; Sun, 13 Jul 2008 20:17:58 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m6DKHvTB069901; Sun, 13 Jul 2008 20:17:58 GMT (envelope-from nobody) Message-Id: <200807132017.m6DKHvTB069901@www.freebsd.org> Date: Sun, 13 Jul 2008 20:17:58 GMT From: Bruce Cran To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/125585: yacc(1) - out of bounds stack access bug X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2008 20:20:03 -0000 >Number: 125585 >Category: bin >Synopsis: yacc(1) - out of bounds stack access bug >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 13 20:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Bruce Cran >Release: 8.0-CURRENT >Organization: >Environment: FreeBSD mac.draftnet 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri Jun 13 04:16:23 BST 2008 brucec@mac.draftnet:/usr/obj/usr/src/sys/GENERIC powerpc >Description: Otto Moerbeek found a bug in OpenBSD's yacc(1) (http://undeadly.org/cgi?action=article&sid=20080708155228) which looks like it might be present in FreeBSD's version too. From the cvs log: Modified files: usr.bin/yacc : skeleton.c Log message: Fix an venerable bug: if we're reducing a rule that has an empty right hand side and the yacc stackpointer is pointing at the very end of the allocated stack, we end up accessing the stack out of bounds by the implicit $$ = $1 action. Detected by my new malloc, experienced by sturm@ on sparc64; ok deraadt@ The diff in OpenBSD can be seen at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: