[Bug 265119] bmake ParseDependency() can read off the end of its input buffer

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 09 Jul 2022 20:21:22 UTC

            Bug ID: 265119
           Summary: bmake ParseDependency() can read off the end of its
                    input buffer
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 235154
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=235154&action=edit
A makefile filled with garbage that illustrates a bug in bmake.

In this code in bmake's parse.c:

static GNodeType
ParseDependencyOp(char **pp)
        if (**pp == '!')
                return (*pp)++, OP_FORCE;
        if ((*pp)[1] == ':')
                return *pp += 2, OP_DOUBLEDEP;
                return (*pp)++, OP_DEPENDS;

If bmake's parser has reached the end of the input, so that
**pp == '\0', then it executes the last line, incrementing *pp and
causing the parser to venture into the unknown.

I'm using a recent FreeBSD-current, on amd64, and /usr/src/contrib/bmake
says _MAKE_VERSION=20220208

You can see the problem by compiling bmake with -fsanitize=address,
and running it against the attached (broken) Makefile:

% ./bmake -f bmake4b.out
make: "bmake4b.out" line 2: Invalid line type
make: "bmake4b.out" line 4: Unclosed variable ""
==92690==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000008d34 at pc 0x0000011866c5 bp 0x7fffffffe200 sp 0x7fffffffe1f8
READ of size 1 at 0x602000008d34 thread T0
    #0 0x11866c4 in ParseDependencyOp contrib/bmake/parse.c:1117:6
    #1 0x11858fd in ParseDependency contrib/bmake/parse.c:1480:26
    #2 0x1182685 in ParseDependencyLine contrib/bmake/parse.c:2821:2
    #3 0x117b780 in ParseLine contrib/bmake/parse.c:2872:2
    #4 0x117aa02 in Parse_File contrib/bmake/parse.c:2897:4
    #5 0x115fe72 in ReadMakefile contrib/bmake/main.c:1709:3
    #6 0x115f74f in ReadAllMakefiles contrib/bmake/main.c:1300:8
    #7 0x11574fd in main_ReadFiles contrib/bmake/main.c:1516:3
    #8 0x1156946 in main contrib/bmake/main.c:1645:2

You are receiving this mail because:
You are the assignee for the bug.