| Título | GNU cflow cflow cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow Buffer Overflow |
|---|
| Descrição | *** According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I sent to GNU Cflow before), but I don't know why, the public email list is still not updated now. ***
# GNU cflow yylex Buffer Overflow Vulnerability
## Summary
A critical buffer overflow vulnerability exists in GNU cflow's lexical analyzer (`yylex()`) function. When processing malformed C source files, the program fails to properly validate array indices, leading to out-of-bounds memory access and segmentation fault.
## Vulnerability Details
**Program**: cflow (GNU cflow)
**Crash Type**: SIGSEGV (Signal 11)
**Root Cause**: Buffer overflow in yylex() lexical analyzer
## Technical Analysis
### Stack Trace Pattern
```gdb
Program received signal SIGSEGV, Segmentation fault.
0x000055555556488d in yylex () at c.c:1091
1091 if ( yy_accept[yy_current_state] )
#0 0x000055555556488d in yylex () at c.c:1091
#1 get_token () at /src/c.l:385
#2 0x000055555556f9a5 in nexttoken () at /src/parser.c:299
#3 yyparse () at /src/parser.c:573
#4 main (argc=<optimized out>, argv=<optimized out>) at main.c:1457
```
### Vulnerability Mechanism
**Critical Assembly Code**:
```assembly
0x55555556488a <get_token+842>: movslq %ecx,%rax
0x55555556488d <get_token+845>: cmpw $0x0,(%rbx,%rax,2) ; CRASH HERE
```
**Register Analysis**:
- `rax = 0x6f6c6673` (1869375091) - Corrupted value representing ASCII "sfol"
- This value is used as an array index: `(%rbx,%rax,2)`
- Results in access to invalid memory address `rbx + (0x6f6c6673 * 2)`
### Root Cause Analysis
1. **Input Processing**: cflow parses C source files using flex-generated lexical analyzer
2. **State Machine Corruption**: Malformed input causes `yy_current_state` variable corruption
3. **Invalid Array Access**: Corrupted state value used as index into `yy_accept[]` array
4. **Memory Violation**: Out-of-bounds access triggers segmentation fault
### Vulnerable Code Context
```c
// In yylex() at c.c:1091
if ( yy_accept[yy_current_state] ) // Vulnerable array access
```
The vulnerability occurs when:
- Input contains malformed C syntax that confuses the lexer state machine
- `yy_current_state` becomes corrupted with invalid values (like 0x6f6c6673)
- No bounds checking before using state as array index
- Results in memory access far beyond `yy_accept[]` array boundaries
### Expected Behavior
The command will:
1. Begin parsing the malformed C source file
2. Enter lexical analysis phase
3. Encounter corrupted state in yylex()
4. Crash with SIGSEGV at array bounds violation
## Proof of Concept
**POC File**: `POC_cflow_yylex_buffer_overflow` [https://drive.google.com/file/d/17lkJ5bSiQZoXLTg3bK-rGBt3kahN9Xse/view?usp=drive_link]
**Content**: Malformed C source code that triggers lexer state corruption
**Reproduction Command**:
```bash
./cflow -p 0 --tree POC_cflow_yylex_buffer_overflow
```
### Credit
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory)
*** According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I sent to GNU Cflow before), but I don't know why, the public email list is still not updated now. ***
|
|---|
| Fonte | ⚠️ https://lists.gnu.org/archive/html/bug-cflow/ |
|---|
| Utilizador | Anonymous User |
|---|
| Submissão | 25/07/2025 09h43 (há 9 meses) |
|---|
| Moderação | 08/08/2025 10h12 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319232 [GNU cflow até 1.8 Lexer c.c yylex Excesso de tampão] |
|---|
| Pontos | 20 |
|---|