| Description | ### Description
The crash occurs within Yosys::RTLIL::Const::set (defined in kernel/rtlil.h:1092), which is called by Yosys::parse_blif in frontends/blif/blifparse.cc:632. The issue is triggered when parsing a crafted BLIF file.
The AddressSanitizer report indicates a WRITE of size 1 occurring immediately after a 1024-byte allocated region. This suggests an off-by-one or out-of-bounds access when setting bits in a constant during BLIF parsing.
Vendor confirmed and fixed this vulnerability in commit [3f1fbfd](https://github.com/YosysHQ/yosys/commit/3f1fbfdaee9049c0c274e73032e09266d6a36525).
ASAN Report:
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Reproduce
1. Build yosys with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0210/blob/main/yo2/repro):
```
./yosys -p "read_blif repro"
```
<details>
<summary>ASAN report</summary>
```
==3329917==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51900000b880 at pc 0x5695161ba01b bp 0x7ffe9f163eb0 sp 0x7ffe9f163ea8
WRITE of size 1 at 0x51900000b880 thread T0
#0 0x5695161ba01a in Yosys::RTLIL::Const::set(int, Yosys::RTLIL::State) /home/cobot001/src/repro/yosys/./kernel/rtlil.h:1092:22
#1 0x5695161ba01a in Yosys::parse_blif(Yosys::RTLIL::Design*, std::istream&, Yosys::RTLIL::IdString, bool, bool, bool) /home/cobot001/src/repro/yosys/frontends/blif/blifparse.cc:632:13
#2 0x5695161c236d in Yosys::BlifFrontend::execute(std::istream*&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/frontends/blif/blifparse.cc:688:3
#3 0x569515a9b3d9 in Yosys::Frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/kernel/register.cc:451:3
#4 0x569515a962a7 in Yosys::Pass::call(Yosys::RTLIL::Design*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>) /home/cobot001/src/repro/yosys/kernel/register.cc:299:8
#5 0x569515a94dd6 in Yosys::Pass::call(Yosys::RTLIL::Design*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /home/cobot001/src/repro/yosys/kernel/register.cc:271:2
#6 0x569515ca7399 in Yosys::run_pass(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/kernel/yosys.cc:866:2
#7 0x5695159ef8d4 in main /home/cobot001/src/repro/yosys/kernel/driver.cc:613:3
#8 0x7845bd22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x7845bd22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x5695158fa654 in _start (/home/cobot001/src/repro/yosys/yosys+0x502654) (BuildId: 558bbe2cbdbc50ff86a912e70c45e5ebd90ba702)
0x51900000b880 is located 0 bytes after 1024-byte region [0x51900000b480,0x51900000b880)
allocated by thread T0 here:
#0 0x5695159d3ac1 in operator new(unsigned long) (/home/cobot001/src/repro/yosys/yosys+0x5dbac1) (BuildId: 558bbe2cbdbc50ff86a912e70c45e5ebd90ba702)
#1 0x569515c10bb2 in std::__new_allocator<Yosys::RTLIL::State>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
#2 0x569515c10bb2 in std::allocator_traits<std::allocator<Yosys::RTLIL::State>>::allocate(std::allocator<Yosys::RTLIL::State>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
#3 0x569515c10bb2 in std::_Vector_base<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20
#4 0x569515c10bb2 in Yosys::RTLIL::State* std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>::_M_allocate_and_copy<__gnu_cxx::__normal_iterator<Yosys::RTLIL::State const*, std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>>>(unsigned long, __gnu_cxx::__normal_iterator<Yosys::RTLIL::State const*, std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>>, __gnu_cxx::__normal_iterator<Yosys::RTLIL::State const*, std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:1619:29
#5 0x569515c10bb2 in std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>>::operator=(std::vector<Yosys::RTLIL::State, std::allocator<Yosys::RTLIL::State>> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:238:24
#6 0x569515b82b08 in Yosys::RTLIL::Const::operator=(Yosys::RTLIL::Const const&) /home/cobot001/src/repro/yosys/kernel/rtlil.cc:576:14
#7 0x5695161b8762 in Yosys::parse_blif(Yosys::RTLIL::Design*, std::istream&, Yosys::RTLIL::IdString, bool, bool, bool) /home/cobot001/src/repro/yosys/frontends/blif/blifparse.cc:559:32
#8 0x5695161c236d in Yosys::BlifFrontend::execute(std::istream*&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/frontends/blif/blifparse.cc:688:3
#9 0x569515a9b3d9 in Yosys::Frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/kernel/register.cc:451:3
#10 0x569515a962a7 in Yosys::Pass::call(Yosys::RTLIL::Design*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>) /home/cobot001/src/repro/yosys/kernel/register.cc:299:8
#11 0x569515a94dd6 in Yosys::Pass::call(Yosys::RTLIL::Design*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /home/cobot001/src/repro/yosys/kernel/register.cc:271:2
#12 0x569515ca7399 in Yosys::run_pass(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, Yosys::RTLIL::Design*) /home/cobot001/src/repro/yosys/kernel/yosys.cc:866:2
#13 0x5695159ef8d4 in main /home/cobot001/src/repro/yosys/kernel/driver.cc:613:3
#14 0x7845bd22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7845bd22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#16 0x5695158fa654 in _start (/home/cobot001/src/repro/yosys/yosys+0x502654) (BuildId: 558bbe2cbdbc50ff86a912e70c45e5ebd90ba702)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cobot001/src/repro/yosys/./kernel/rtlil.h:1092:22 in Yosys::RTLIL::Const::set(int, Yosys::RTLIL::State)
Shadow bytes around the buggy address:
0x51900000b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51900000b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51900000b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51900000b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51900000b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x51900000b880:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51900000b900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51900000b980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51900000ba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51900000ba80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51900000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3329917==ABORTING
```
</details> |
|---|