Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack Overflow Vulnerability #126

Closed
r0t0tiller opened this issue Apr 10, 2017 · 2 comments
Closed

Stack Overflow Vulnerability #126

r0t0tiller opened this issue Apr 10, 2017 · 2 comments

Comments

@r0t0tiller
Copy link

r0t0tiller commented Apr 10, 2017
edited by marcobambini
Loading

There is a stack based buffer overflow vulnerability in the gravity_lexer_next function. By making a gravity script like the one below, it is possible to overflow the stack and control registers with the overflowed data. This is potentially a exploitable bug because an attacker can gain at least partial control of the program's registers.

func main () {

{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{...<snip> (24950 characters)AAAAABBBBBCCCCCDDDDD

}

Attached is the Valgrind ouput, ASAN output, and the GDB ouput.

Valgrind:

==12779== Memcheck, a memory error detector
==12779== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12779== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12779== Command: ./gravity /home/ctf/Desktop/Gravity_Fuzzer/testcase.gravity
==12779==
==12779== Stack overflow in thread 1: can't grow stack to 0xffe801000
==12779==
==12779== Process terminating with default action of signal 11 (SIGSEGV)
==12779== Access not within mapped region at address 0xFFE801FF8
==12779== Stack overflow in thread 1: can't grow stack to 0xffe801000
==12779== at 0x413F09: gravity_lexer_next (in /home/ctf/Desktop/gravity/gravity)
==12779== If you believe this happened as a result of a stack
==12779== overflow in your program's main thread (unlikely but
==12779== possible), you can try to increase the size of the
==12779== main thread stack using the --main-stacksize= flag.
==12779== The main thread stack size used in this run was 8388608.
==12779== Stack overflow in thread 1: can't grow stack to 0xffe801000
==12779==
==12779== Process terminating with default action of signal 11 (SIGSEGV)
==12779== Access not within mapped region at address 0xFFE801FD8
==12779== Stack overflow in thread 1: can't grow stack to 0xffe801000
==12779== at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==12779== If you believe this happened as a result of a stack
==12779== overflow in your program's main thread (unlikely but
==12779== possible), you can try to increase the size of the
==12779== main thread stack using the --main-stacksize= flag.
==12779== The main thread stack size used in this run was 8388608.
==12779==
==12779== HEAP SUMMARY:
==12779== in use at exit: 691,224 bytes in 25,852 blocks
==12779== total heap usage: 25,853 allocs, 1 frees, 691,288 bytes allocated
==12779==
==12779== LEAK SUMMARY:
==12779== definitely lost: 200 bytes in 5 blocks
==12779== indirectly lost: 1,384 bytes in 17 blocks
==12779== possibly lost: 0 bytes in 0 blocks
==12779== still reachable: 689,640 bytes in 25,830 blocks
==12779== suppressed: 0 bytes in 0 blocks
==12779== Rerun with --leak-check=full to see details of leaked memory
==12779==
==12779== For counts of detected and suppressed errors, rerun with: -v
==12779== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

ASAN:

ASAN:SIGSEGV

==12843==ERROR: AddressSanitizer: stack-overflow on address 0x7ffca7a7bff8 (pc 0x7f0a20f8a9f3 bp 0x000000000018 sp 0x7ffca7a7c000 T0)
0 0x7f0a20f8a9f2 (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x239f2)
1 0x7f0a20fff765 in __interceptor_calloc (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x98765)
2 0x4160e2 in gnode_array_create (/home/ctf/Desktop/gravity/gravity+0x4160e2)
3 0x40bc76 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc76)
4 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
5 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
6 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
7 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
8 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
9 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
10 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
11 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
12 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
13 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
14 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
15 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
16 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
17 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
18 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
19 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
20 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
21 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
22 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
23 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
24 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
25 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
26 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
27 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
28 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
29 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
30 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
31 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
32 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
33 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
34 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
35 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
36 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
37 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
38 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
39 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
40 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
41 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
42 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
43 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
44 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
45 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
46 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
47 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
48 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
49 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
50 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
51 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
52 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
53 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
54 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
55 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
56 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
57 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
58 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
59 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
60 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
61 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
62 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
63 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
64 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
65 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
66 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
67 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
68 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
69 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
70 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
71 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
72 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
73 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
74 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
75 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
76 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
77 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
78 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
79 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
80 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
81 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
82 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
83 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
84 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
85 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
86 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
87 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
88 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
89 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
90 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
91 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
92 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
93 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
94 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
95 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
96 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
97 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
98 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
99 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
100 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
101 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
102 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
103 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
104 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
105 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
106 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
107 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
108 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
109 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
110 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
111 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
112 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
113 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
114 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
115 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
116 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
117 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
118 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
119 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
120 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
121 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
122 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
123 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
124 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
125 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
126 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
127 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
128 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
129 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
130 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
131 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
132 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
133 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
134 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
135 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
136 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
137 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
138 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
139 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
140 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
141 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
142 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
143 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
144 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
145 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
146 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
147 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
148 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
149 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
150 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
151 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
152 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
153 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
154 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
155 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
156 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
157 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
158 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
159 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
160 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
161 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
162 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
163 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
164 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
165 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
166 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
167 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
168 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
169 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
170 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
171 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
172 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
173 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
174 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
175 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
176 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
177 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
178 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
179 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
180 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
181 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
182 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
183 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
184 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
185 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
186 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
187 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
188 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
189 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
190 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
191 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
192 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
193 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
194 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
195 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
196 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
197 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
198 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
199 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
200 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
201 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
202 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
203 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
204 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
205 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
206 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
207 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
208 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
209 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
210 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
211 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
212 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
213 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
214 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
215 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
216 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
217 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
218 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
219 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
220 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
221 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
222 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
223 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
224 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
225 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
226 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
227 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
228 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
229 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
230 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
231 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
232 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
233 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
234 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
235 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
236 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
237 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
238 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
239 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
240 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
241 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
242 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
243 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
244 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
245 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
246 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
247 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
248 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
249 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)
250 0x40b707 in parse_statement (/home/ctf/Desktop/gravity/gravity+0x40b707)
251 0x40bc87 in parse_compound_statement (/home/ctf/Desktop/gravity/gravity+0x40bc87)

SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==12843==ABORTING

GDB:

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x661e60 --> 0x65baf0 ("func main () {\n"...)
RCX: 0x65baf0 ("func main () {\n"...)
RDX: 0x619a
RSI: 0x7b ('{')
RDI: 0x661c70 ("{{{{{AAAAABBBBB"...)
RBP: 0x7b ('{')
RSP: 0x7fffff7fefe0
RIP: 0x413f09 (<gravity_lexer_next+473>: mov QWORD PTR [rsp+0x18],r11)
R8 : 0x6180
R9 : 0x6181
R10: 0x6181
R11: 0x661c71 ("{{{{AAAAABBBBBC"...)
R12: 0x7fffff7ff024 --> 0xf73c290000000000
R13: 0x6180
R14: 0x100001a00
R15: 0x661e80 --> 0x200000059
EFLAGS: 0x10212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x413efa <gravity_lexer_next+458>: mov QWORD PTR [rsp+0x30],r10
0x413eff <gravity_lexer_next+463>: mov QWORD PTR [rsp+0x28],rcx
0x413f04 <gravity_lexer_next+468>: mov DWORD PTR [rsp+0x24],r9d
=> 0x413f09 <gravity_lexer_next+473>: mov QWORD PTR [rsp+0x18],r11
0x413f0e <gravity_lexer_next+478>: mov DWORD PTR [rsp+0x10],esi
0x413f12 <gravity_lexer_next+482>: mov QWORD PTR [rsp+0x8],rdi
0x413f17 <gravity_lexer_next+487>: call 0x4015f0 __ctype_b_loc@plt
0x413f1c <gravity_lexer_next+492>: mov r12,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000413f09 in gravity_lexer_next ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[─────────────────────────────────────────────────────────────REGISTERS─────────────────────────────────────────────────────────────]
RAX 0x0
*RBX 0x661e60 —▸ 0x65baf0 ◂— 0x69616d20636e7566 ('func mai')
*RCX 0x65baf0 ◂— 0x69616d20636e7566 ('func mai')
*RDX 0x619a
*RDI 0x661c70 ◂— 0x4141417b7b7b7b7b ('{{{{{AAA')
*RSI 0x7b
*R8 0x6180
*R9 0x6181
*R10 0x6181
*R11 0x661c71 ◂— 0x414141417b7b7b7b ('{{{{AAAA')
*R12 0x7fffff7ff024 ◂— 0xf73c290000000000
*R13 0x6180
*R14 0x100001a00
R15 0x661e80 ◂— 0x200000059 / 'Y' */
*RBP 0x7b
*RSP 0x7fffff7fefe0
*RIP 0x413f09 (gravity_lexer_next+473) ◂— mov qword ptr [rsp + 0x18], r11
[───────────────────────────────────────────────────────────────CODE────────────────────────────────────────────────────────────────]
► 0x413f09 <gravity_lexer_next+473> mov qword ptr [rsp + 0x18], r11
0x413f0e <gravity_lexer_next+478> mov dword ptr [rsp + 0x10], esi
0x413f12 <gravity_lexer_next+482> mov qword ptr [rsp + 8], rdi
0x413f17 <gravity_lexer_next+487> call __ctype_b_loc@plt <0x4015f0>

0x413f1c <gravity_lexer_next+492> mov r12, qword ptr [rax]
0x413f1f <gravity_lexer_next+495> movsx rdx, bpl
0x413f23 <gravity_lexer_next+499> mov rdi, qword ptr [rsp + 8]
0x413f28 <gravity_lexer_next+504> mov esi, dword ptr [rsp + 0x10]
0x413f2c <gravity_lexer_next+508> mov r11, qword ptr [rsp + 0x18]
0x413f31 <gravity_lexer_next+513> mov r9d, dword ptr [rsp + 0x24]
0x413f36 <gravity_lexer_next+518> mov rcx, qword ptr [rsp + 0x28]
[───────────────────────────────────────────────────────────────STACK───────────────────────────────────────────────────────────────]
<Could not read memory at 0x7fffff7fefe0>
[─────────────────────────────────────────────────────────────BACKTRACE─────────────────────────────────────────────────────────────]
► f 0 413f09 gravity_lexer_next+473
f 1 414bfc gravity_lexer_peek+140
f 2 408547 parse_optional+39
f 3 408b57 parse_required+39
f 4 40bc57 parse_compound_statement+39
f 5 40b708 parse_statement+1224
f 6 40bc88 parse_compound_statement+88
f 7 40b708 parse_statement+1224
f 8 40bc88 parse_compound_statement+88
f 9 40b708 parse_statement+1224
f 10 40bc88 parse_compound_statement+88
Program received signal SIGSEGV (fault address 0x7fffff7feff8)
@marcobambini
Copy link
Owner

Can you please attach the Gravity code that triggers the crash?

@r0t0tiller
Copy link
Author

testcase.txt

@r0t0tiller r0t0tiller mentioned this issue Apr 10, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@r0t0tiller @marcobambini