Stack Overflow in HandleNode()

[fumfel]

Stack Overflow in HandleNode()

Git HEAD: 86c69bb

Payload

To reproduce: cat yaml_stack_overflow | parse

ASAN:

==23331==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec5d6bfc8 (pc 0x0000004bc0ba bp 0x7ffec5d6c830 sp 0x7ffec5d6bfd0 T0)
    #0 0x4bc0b9 in __asan_memcpy /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #1 0x51c2ba in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:56:15
    #2 0x520e7d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:199:5
    #3 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #4 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98
    #5 0x525da0 in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:330:3
    #6 0x51d8b7 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:226:7
    #7 0x51d8b7 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:121
    ===================================================== SNIP! =====================================================
    #369 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #370 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98
    #371 0x525da0 in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:330:3
    #372 0x51d8b7 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:226:7
    #373 0x51d8b7 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:121
    #374 0x520e7d in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:199:5
    #375 0x51d688 in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:143:7
    #376 0x51d688 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) XYZ/yaml-cpp/src/singledocparser.cpp:98

SUMMARY: AddressSanitizer: stack-overflow /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3 in __asan_memcpy
==23331==ABORTING

[jbeder]

Thanks for the report.

[fgeek]

CVE-2017-5950 has been assigned for this issue. Please add it to commit message when fixing this and/or to ChangeLog.

[anarcat]

I can't reproduce this directly. by default, on a clean build in Debian 9 "stretch", I get:

[1060]anarcat@curie:build$ ./util/parse < ~/Downloads/yaml_stack_overflow.txt 
yaml-cpp: error at line 1, column 1: end of sequence flow not found

If I create a ridiculously large test case (ie. 7 times the original), I manage to get a segfault on malloc:

$ (cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ; cat ~/Downloads/yaml_stack_overflow.txt ) > wtf
$ ./util/parse  < wtf
Segmentation fault (core dumped)

here's the stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7216b9b in _int_malloc (av=av@entry=0x7ffff7536b00 <main_arena>, bytes=bytes@entry=512) at malloc.c:3384
3384	malloc.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  0x00007ffff7216b9b in _int_malloc (av=av@entry=0x7ffff7536b00 <main_arena>, bytes=bytes@entry=512) at malloc.c:3384
#1  0x00007ffff7218d84 in __GI___libc_malloc (bytes=512) at malloc.c:2925
#2  0x00007ffff7ae67a8 in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00005555555a1baf in void std::deque<YAML::CollectionType::value, std::allocator<YAML::CollectionType::value> >::_M_push_back_aux<YAML::CollectionType::value const&>(YAML::CollectionType::value const&) ()
#4  0x000055555559d0e4 in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#5  0x000055555559b670 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#6  0x00005555555a192a in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#7  0x000055555559b618 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#8  0x000055555559d01c in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#9  0x000055555559b670 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#10 0x00005555555a192a in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#11 0x000055555559b618 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#12 0x000055555559d01c in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
[... ad nauseam...]

as the SUSE folks say - maybe this is just a matter of setting a recursion limit?

[anarcat]

please review the proposed fix in #489. thanks!

[lamby]

Hi, any update on this? :)

[hobbes1069]

Ping