bin/125585: yacc(1) - out of bounds stack access bug
Bruce Cran
bruce at cran.org.uk
Sun Jul 13 20:20:03 UTC 2008
>Number: 125585
>Category: bin
>Synopsis: yacc(1) - out of bounds stack access bug
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 13 20:20:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Bruce Cran
>Release: 8.0-CURRENT
>Organization:
>Environment:
FreeBSD mac.draftnet 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri Jun 13 04:16:23 BST 2008 brucec at mac.draftnet:/usr/obj/usr/src/sys/GENERIC powerpc
>Description:
Otto Moerbeek found a bug in OpenBSD's yacc(1) (http://undeadly.org/cgi?action=article&sid=20080708155228) which looks like it might be present in FreeBSD's version too. From the cvs log:
Modified files:
usr.bin/yacc : skeleton.c
Log message:
Fix an venerable bug: if we're reducing a rule that has an empty
right hand side and the yacc stackpointer is pointing at the very
end of the allocated stack, we end up accessing the stack out of
bounds by the implicit $$ = $1 action. Detected by my new malloc,
experienced by sturm@ on sparc64; ok deraadt@
The diff in OpenBSD can be seen at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list