Ubuntu
bc package

GNU bc crashes on some inputs

Bug #1775776 reported by HongxuChen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bc (Debian)
New
Undecided
Unassigned
bc (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

(We haven't found ways to report directly to GNU bc maintainers therefore we report here; there are other crashes however, since I'm not familiar with launchpad I only report two relevant in this thread)

We fuzzed GNU bc 1.07 (1.07.1 also affected) and found 2 related crashes when interpreting some input files (test_01.input.txt and test_02.input.txt) with "bc < input_file", the gdb backtraces (also attached as "*.gdb.txt") are as follows:

(test_01.gdb.txt)
Reading symbols from ../../../../bc-1.07-orig/install/bin/bc...done.
Starting program: /home/hongxu/FOT/test_c/bc-1.07-orig/install/bin/bc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(standard_in) 13: syntax error
Runtime error (func=(main), adr=2): Function asanerange2_ not defined.
(standard_in) 15: Return outside of a function.
(standard_in) 19: Return outside of a function.
Runtime error (func=(main), adr=34): Parameter type mismatch, parameter cend.

Program received signal SIGSEGV, Segmentation fault.
0x000055555555de73 in process_params (progctr=0x555555769340 <pc>, func=0x1) at storage.c:1004
1004 if ((ch == '0') && params->av_name > 0)
#0 0x000055555555de73 in process_params (progctr=0x555555769340 <pc>, func=0x1) at storage.c:1004
#1 0x000055555555a7b4 in execute () at execute.c:157
#2 0x000055555555e6ee in run_code () at util.c:295
#3 0x0000555555555f23 in yyparse () at ../../bc/bc.y:134
#4 0x000055555555579a in main (argc=0x1, argv=0x7fffffffbcc8) at main.c:260

(test_02.gdb.txt)
Reading symbols from ../../../../bc-1.07-orig/install/bin/bc...done.
Starting program: /home/hongxu/FOT/test_c/bc-1.07-orig/install/bin/bc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(standard_in) 48: syntax error
(standard_in) 49: syntax error
(standard_in) 51: syntax error
(standard_in) 51: syntax error
Runtime error (func=carccosh, adr=51): Parameter type mismatch parameter b__.

Program received signal SIGSEGV, Segmentation fault.
0x000055555555defd in process_params (progctr=0x555555769340 <pc>, func=0x2) at storage.c:1015
1015 if ((ch == '1') && (params->av_name < 0))
#0 0x000055555555defd in process_params (progctr=0x555555769340 <pc>, func=0x2) at storage.c:1015
#1 0x000055555555a7b4 in execute () at execute.c:157
#2 0x000055555555e6ee in run_code () at util.c:295
#3 0x0000555555555f23 in yyparse () at ../../bc/bc.y:134
#4 0x000055555555579a in main (argc=0x1, argv=0x7fffffffbcc8) at main.c:260

We can see that both errors are inside `process_params` at the branch condition checking sites: lines 1004 and lines 1015, which correspond to heap overflows according to AddressSanitizer.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: bc 1.07.1-2
ProcVersionSignature: Ubuntu 4.15.0-23.25-generic 4.15.18
Uname: Linux 4.15.0-23-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: LXQt
Date: Fri Jun 8 14:42:03 2018
InstallationDate: Installed on 2016-03-04 (825 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: bc
UpgradeStatus: Upgraded to bionic on 2018-05-13 (25 days ago)

Revision history for this message
HongxuChen (hsxuif) wrote :
HongxuChen (hsxuif)
tags: removed: apport-bug
tags: removed: bionic
Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1775776] [NEW] GNU bc crashes on some inputs

On Fri, Jun 08, 2018 at 07:00:11AM -0000, HongxuChen wrote:
> (We haven't found ways to report directly to GNU bc maintainers
> therefore we report here; there are other crashes however, since I'm not
> familiar with launchpad I only report two relevant in this thread)

Thanks for getting in touch with us; I have mailed this report and the
tarball to Philip, who responded to my mail to <email address hidden>. Emailing
the bc maintainers directly is probably the best route to take for your
other findings. Here's the instructions from the end of the bc(1) manpage:

BUGS
       Error recovery is not very good yet.

       Email bug reports to <email address hidden>. Be sure to include the
       word ``bc'' somewhere in the ``Subject:'' field.

Thanks

Revision history for this message
HongxuChen (hsxuif) wrote :

Thanks for forwarding!

I actually emailed to <email address hidden> and <email address hidden><email address hidden> (listed here https://directory.fsf.org/wiki/Bc#tab=Details) before, however there were no response. So I was wondering whether these email accounts have some whitelist settings.

But if they reply to you, that would be great enough.

Revision history for this message
HongxuChen (hsxuif) wrote :

The added crashes.tar.gz contains other pocs (*.input.txt) that will crash bc, and their gdb results (*.gdb.txt). Note that some of them require Address Sanitizer and others do not.

Revision history for this message
HongxuChen (hsxuif) wrote :

See also: https://github.com/ntu-sec/pocs/tree/master/bc

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Can we make this ticket public? Also have you heard back from upstream? I think there's no news or fixes so far for it, maybe making it public will help on getting a fix.

Revision history for this message
HongxuChen (hsxuif) wrote :

I'm fine with publicity.

Eduardo Barretto (ebarretto)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in bc (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.