33-Year-Old Unix Bug Fixed In OpenBSD

Ste sends along the cheery little story of Otto Moerbeek, one of the OpenBSD developers, who recently found and fixed a 33-year-old buffer overflow bug in Yacc. "But if the stack is at maximum size, this will overflow if an entry on the stack is larger than the 16 bytes leeway my malloc allows. In the case of of C++ it is 24 bytes, so a SEGV occurred. Funny thing is that I traced this back to Sixth Edition UNIX, released in 1975."

Time to patch

[Anonymous Coward]

Wouldn't want to let anyone take over your system with yacc. Seriously.

Re:Time to patch

[slew]

Wouldn't want to let anyone take over your system with yacc. Seriously.

But ./ is already taken over with yak. Seriously.

Re:Time to patch

[Anonymous Coward]

Who cares about OpenBSD yacc? BSD is dying and Netcraft confirms it. The world has moved to GNU/Linux and Bison.

Re:Time to patch

[msuarezalvarez]

So you are including bison in your own apps and its `bloatedness' becomes a problem? Maybe you should read the manpage...

Re:Time to patch

[setagllib]

Who cares? Like GCC versus TinyCC, being bloated means it can produce a more useful output. GNUware can be faulted for being heavy compared to traditional Unix tools, but the functionality and flexibility provided more than makes up for it.

Except for autotools. What the HELL were they thinking.

Re:

[Haeleth]

Care to point out what exactly bison does that is so useful? Its not any better than yacc

Re-entrant parsers.

Re:

[cryptoluddite]

Wouldn't want to let anyone take over your system with yacc. Seriously.

I think if you've installed yacc with setuid bit then you have other problems to worry about. Seriously.

Re:

[Schraegstrichpunkt]

What, so in the "Web 2.0" world, it would inconceivable that somebody would provide a web-accessible yacc service to the world?

Re:Time to patch

[setagllib]

Ah, but it would be written as a J2EE application. And the input wouldn't be .y, it'd be an XML document. And the output wouldn't be C, it'd be another XML, passing through a terabyte of XSLT. Then you pass this compiled parser XML, only a gigabyte in size, and your language file to a parser web service and it returns even more XML representing the parse tree.

Ahh, progress.

Re:Time to patch

[TapeCutter]

Great post, I'm still laughing as I type.

Speaking of old bugs the guy who sits next to me at work hooked a 15yo mainfame bug a few months back. His stock comment whenever someone mentions it is: "Three more years and that one would have been old enough to vote!"

Re:

[OttoM]

I think you missed the point. The bug is in the code generated by yacc, which can end up anywhere.

From back when

[Yold]

Unix beards were Unix stubble

bad omen

[spir0]

a 33 year old bug, plus a 25 year old bug (http://it.slashdot.org/article.pl?sid=08/05/11/1339228)....

if we keep going backwards, will the world implode? or will daemons start spewing out of cracks in time and space?

Re:bad omen

[je ne sais quoi]

Nah! What this means is that they are fixing bugs faster than they're making new ones. If they weren't, they'd spend all their time chasing the newest ones. :)

Re:

[CptChipJew]

That isn't necessarily true. It's just as possible people are wasting time fixing unimportant issues and ignoring more important ones.

I'm not trying to disparage the OpenBSD team or anything. It's just that no development team is perfect.

Re:bad omen

[Dunbal]

It's just as possible people are wasting time fixing unimportant issues and ignoring more important ones.

      We're talking programmers here, not politicians...

Re:

[incripshin]

Well, they're not checking yacc for bugs for the hell of it. They're reimplementing malloc to be more efficient, but it broke buggy code. Is there any other option than to fix yacc?

Re:bad omen

[Jurily]

Sure. Break malloc even worse to allow for backwards compatibility.

See "Windows 95".

Re:

[Nutria]

Is there any other option than to fix yacc?

Divorce is one way to "fix" constant yaccing.

Re:

[IcePic]

Then again, the bug came up while failing to compile xulrunner, so it wasnt hunting for stupid 30+ years old code noone uses, but running a compile of something from this side of the millenium that in the end pointed to this bug.

Re:

[p0tat03]

Or we're so painfully slow with fixing bugs that we JUST got around to 1975 :P There are always multiple views :P

Re:bad omen

[exley]

a 33 year old bug, plus a 25 year old bug (http://it.slashdot.org/article.pl?sid=08/05/11/1339228)....

if we keep going backwards, will the world implode?

Well since time began only 38.5 years ago we should find out the answer very soon!

Re:

[laejoh]

In exactly 3.5 years , but I'm afraid the answer will disappoint you.

Re:bad omen

[Dunbal]

or will daemons start spewing out of cracks in time and space?

      I finally figured out what the UAC were doing on the Mars colony... and it had nothing to do with those artifacts!

      Thank god there's a division of Space Marines there...

Re:

[Library Spoff]

They're using Vista on the Mars colony?

Shurely shome mistake

Re:

[Hatta]

You are trying to activate the BFG 9000.

Cancel or Allow?

You are trying to frag a cyberdemon.

Cancel or Allow?

Re:bad omen

[K. S. Kyosuke]

First it was a fourth of a century, then it was a third of a century. The only logical consequence is that the next bug they will find now will be a memory leak in McCarthy's Lisp intepreter from '59 or some strange corner case in the Fortran I compiler. (Oh, and after a careful consideration, I am leaving the *next* bug as an exercise to the reader.)

Re:

[cryptoluddite]

Well since bugs before the epoch [wikipedia.org] were actual insects, judging by past precedent they'll get super powers... like wall-climbing ability or maybe spidey senses ??

Re:

[mr_mischief]

This is just a guess with no etymological (or entomological) evidence to back it up, but I've always wondered if "bug" wasn't from "bugbear [wikipedia.org]" -- unseen mischievous forces which screw with how your stuff works.

This would be as in the Merriam-Webster definition [merriam-webster.com], particularly 2b: "a continuing source of irritation". Of course, 2a might sometimes fit: "an object or source of dread". Perhaps even definition 1 after along shift of maintenance work: "an imaginary goblin or specter used to excite fear".

Re:bad omen

[menace3society]

The next bug will be in Boolean logic. After that, OpenBSD devs will start fixing structural engineering errors the Tower of Pisa.

Re:

[skeeto]

or will daemons start spewing out of cracks in time and space?

Nope, they will just simply spew from our noses [catb.org].

Great!

[Anonymous Coward]

Any word on when they're going to fix the even older "Too many arguments" bug?

Sorry, but any modern system where a command like "ls a*" may or may not work, based exclusively on the number of files in the directory, is broken.

Re:Great!

[The Master Control P]

I too was devastated to learn that my poor Linux box can only handle 128KB of command line arguments [in-ulm.de]. How can I possibly finish typing in that uncompressed bitmap...

Re:

[Dunbal]

128k should be enough for anyone.

Re:

[Malevolyn]

Some of us require, maximum, 640k.

Re:

[Anonymous Coward]

So, as an example, let's say I want to archive a bunch of files, then remove them from my system, to save space. I packed them up, using:

tar cf archive.tar dir1 dir2 file1 file2 file3

and, because I'm extremely paranoid, I only want to delete files I'm sure are in the archive. How would I do that? Could I use:

rm `tar tf archive.tar`

How about:

tar tf archive.tar | xargs rm

I'm pretty sure neither of those will work in all cas

Re:

[The Master Control P]

Have a script loop over your directories, adding them to the archive before firing the Are-Em Star at them.

/The power to destroy an entire filesystem is insignificant next to the power of the Farce

Re:Great!

[menace3society]

Burn the contents of the tar archive onto a CD. Mount the CD over the original directory structure. Use find(1)'s -fstype option to locate all the files that aren't on the CD, copy them to an empty disk image, then eject the CD. Remount the disk image over the original directory, delete all the files in the directory, then unmount the disk image. The files identical in name to those that were on the disk image (which are those that weren't on the CD) won't be deleted thanks to the peculiarities of mount(2).

You're welcome.

Re:

[MBGMorden]

You forgot "Er.". All Linux advice must contain "Er." at the beginning of the first sentence in order to signify the fact that the poster should have already known how to do this rather than asking this question.

Re:Great!

[maztuhblastah]

So Saturdays at your house must be a real blast, huh?

Re:

[menace3society]

You're just jealous you couldn't think of something so simultaneously clever and over-involved.

Re:

[evilviper]

I only want to delete files I'm sure are in the archive. How would I do that?

tar tf archive.tar | while read FILENAME ; do
    rm "$FILENAME"
done

Re:

[jandrese]

Yeah, a great many shells scripts can be done in by simply putting spaces in your filenames. The builtin unix tools just handle spaces poorly.

Re:

[just_another_sean]

How about:

for f in `tar tf archive.tar`; do
      rm $f
done

Re:

[Burning1]

Psudo code, because my geekhood isn't threatened by petty things like the need for debugging and syntax checks:

tar tf archive.tar > /tmp/archive.txt
ls dir1 dir2 file1 file2 file3 > /tmp/tree.txt
diff /tmp/archive.txt /tmp/tree.txt > /tmp/delta.txt
rm /tmp/delta.txt

Re:

[Burning1]

It is threatened by the lack of < signs, however. That's supposed to read:
rm < /tmp/delta.txt

Re:Great!

[Dadoo]

While I'm sure you're trolling, I feel I should point out that, 1) I agree with you, and 2) this has apparently been fixed, on Linux:

        http://agnimidhun.blogspot.com/2007/08/vi-editor-causes-brain-damage-ha-ha-ha.html [blogspot.com]

Re:Great!

[Craig Davison]

If "ls a*" isn't working, it's because the shell is expanding a* into a command line >100kB in size. That's not the right way to do it.

Try "find -name 'a*'", or if you want ls -l style output, "find -name 'a*' -exec ls -l {} \;"

Re:Great!

[Just Some Guy]

if you want ls -l style output, "find -name 'a*' -exec ls -l {} \;"

Yeah, because nothing endears you with the greybeards like racing through the process table as fast as possible. Use something more sane like:

$ find -name 'a*' -print0 | xargs -0 ls -l

which only spawns a new process every few thousand entries or so.

Re:

[QuoteMstr]

On modern systems, find -name 'a*' -exec ls -l {} +

Personally, however, I prefer find -name a\* -exec ls -l {} +

Also, you probably want to add a -type f before the -exec, unless you also want to list directories.

Either that, or make the command ls -ld to not list the contents of directories.

The Problem is *why* it's the wrong way to do it

[billstewart]

You're correct that's it's not the right way to do it. The problem is *why* it's not the right way to do it. It's not the right way to do it because the arg mechanism chokes on it due to arbitrary limits, and/or because your favorite shell chokes on it first, forcing you to use workarounds. Choking on arbitrary limits is a bad behaviour, leading to buggy results and occasional security holes. That's separate from the question of whether it's more efficient to feed a list of names to xargs or use ugly syntax with find.

Now, if you were running v7 on a PDP-11, there wasn't really enough memory around to do everything without arbitrary limits, so documenting them and raising error conditions when they get exceeded is excusable, and if you were running on a VAX 11/780 which had per-process memory limits around 6MB for some early operating systems, or small-model Xenix or Venix on a 286, it's similarly excusable to have some well-documented arbitrary limits. But certainly this stuff should have been fixed by around 1990.

In Defense of Limits

[QuoteMstr]

Soft limits can actually mitigate bugs. If we limit processes by default to 1,024 file descriptors, and one of them hits the limit, that process probably has a bug, and would have brought the system to its knees had it continued to allocate file descriptors. Programs designed to use more descriptors could to increase the limit.

Sane limits

[Jeppe Salvesen]

While xargs is a great little workaround/workhorse, it is needed in far too many cases. Why on earth would it be so hard to increase the limits every once in a while? After all, the limit in question was probably perfectly acceptable back in the day when 20mb was a lot of space and 500 files was more files than you could imagine ever creating.

Re:

[James Youngman]

Yuck. Much more efficient: find . -name 'a*' -ls

Re:

[drinkypoo]

Instead of "ls a*"? Seriously? Hopefully, someone will mod you funny.

Unix has extremely low overhead spawning processes. If you prelink and have a little cache this is plenty fast :P

Seriously though, this is a serious annoyance in the way Unix does business. Shell globbing is very convenient for programmers, but not so convenient for users in an awful lot of situations.

Re:

[GuyverDH]

it was fixed years ago....

find . -name "a*" -prune -exec ls -ld {} \;

(note: this command line was generated by reading the man page for gnu find - may not work on all unix/linux variants)

Re:

[GuyverDH]

or an even shorter solution...

ls -c1 | grep "^a"

and if you wanted upper and lower-case a files,

ls -c1 | grep -i "^a"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[GuyverDH]

uhm - no...
the ls entries listed above work perfectly well on Solaris, AIX, HP-UX and Linux.

ksh is the only shell I use, although I'm sure it would work with bash.

I primarily work on Solaris (SPARC/x86/x64) platforms - I won't go into any kind of flame wars over it, it's just what my company uses primarily.

(modern_system != infinite_memory)

[Zero__Kelvin]

"Sorry, but any modern system where a command like ls "a*" may or may not work, based exclusively on the number of files in the directory, is broken."

It is not broken. The fact that it complains "too many arguments" is evidence that it is not broken, since the program (ls) is doing bounds checks on the input. If it was broken, you wouldn't get the message; there would be a buffer overflow because the programmer didn't do constraints checking.

ERRATA

[Zero__Kelvin]

I'll catch myself before someone else does. Everything I said above is true, except that ls isn't complaining. The OS, specifically exec() and friends, is complaining because the command line length when the shell expands the wildcard exceeds ARG_MAX. Increase ARG_MAX if you want to allow more files, or use a variation of find with the -exec option or xargs, etc.

Re:

[Jeffrey Baker]

Actually, a patch was recently added to Linux to dynamically allocate the command line, so your argument length is now bounded only by available memory.

Re:Great!

[Jeffrey Baker]

It's both. The kernel is responsible for setting up the execution environment, and in the past it used a fixed 32 pages for the arguments. 32 pages on an ordinary PC is 128KiB, which is the old limit. The new limit is that any one argument can be up to 32 pages, and all the arguments taken together can be 0x7FFFFFFF bytes, which is ~2GiB.

Here's the diff: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b6a2fea39318e43fee84fa7b0b90d68bed92d2ba;hp=bdf4c48af20a3b0f01671799ace345e3d49576da [kernel.org]

After that, it was up to libc people to fix the globbing routines. Ulrich Drepper, taking some time off from his full-time job of being an asshole on mailing lists, managed to work this into glibc 2.8:

http://sourceware.org/ml/libc-alpha/2008-04/msg00050.html [sourceware.org]

Re:

[ak3ldama]

Seems to me that he is allowed to be an asshole occassionally as long as he can share this kind of information. [lwn.net]

Re:

[rakslice]

heh... FWIW on Windows people are stuck with only a few kB of command line and no shell wildcard expansion at all, and they don't seem to be crying in their beers (... it's the market leader last time I checked)

The (not-so-)secret is to not do things by passing big lists around using command line arguments. Back in unix land, you can do glob-filtered listings like the one you suggested with the find command. And even the basic commands like ls can take parameters via xargs instead of regular command line

Re:

[zentigger]

foreach file ( a* )
echo $file
end

maybe it's just me

[Anonymous Coward]

But this code just seems wrong. What is C code doing referencing the stack pointer directly?

Yeah, it's probably you.

[Estanislao Martínez]

I bet you they're not talking about the system stack pointer. Remember, yacc is a parser generator; parsing algorithms always use some sort of stack data structure. So, the "stack pointer" in question is just a plain old pointer, pointing into a stack that yacc's generated code uses.

Re:

[Skrapion]

Actually, the [] operator of an STL vector doesn't throw any exceptions, and will happily allow you to reference an index which is out of bounds.

That's not a bad thing, because it's more efficient when you already know that your index is in rage. But if you don't know that, you're better off using the at() function.

Re:

[setagllib]

Best of all, even if you use assert() (or similar) for really explicit bounds checking, GCC will omit it from code paths where it's deemed to be unused. So if your accesses are being inlined (and if they're not, take a long hard look at your life) then the already-safe paths won't have the check overhead even in a debug build.

Yes, I've tested it. Yes, it's impressive.

Re:

[tomhudson]

There's a bug in the explanation.

From the linky (emphasis mine):

yypv =- yyr2[n];
yyval=yypv[1];
access an item above the stack pointer. If yyr2[n] is zero, this is a potential access outside the stack. Note the archaic use of =-, we write -= these days.

"-=" is NOT the same as "=-".

Example:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char* argv[], char* env[]) {
int a=10;
int b=10;

a =- 5;
b -= 5;printf("a=%d, b=%d\n", a, b);

return EXIT_SUCCESS;
}

returns a

Re:

[trb]

No, it's probably you. In days of old, C's =- operator was equivalent to its present-day -= operator, as is clearly shown in the example. For conclusive evidence, see Dennis Ritchie's article, The Development of the C Language. [bell-labs.com] See the section headed "More History." It discusses =+, which was a sibling of =- . Ritchie says it was fixed in 1976 (by allowing +=), but I remember compilers also accepting the deprecated =- until 1980 or so.

Re:Yeah, it's probably you.

[tomhudson]

From the link you cited:

By 1971, our miniature computer center was beginning to have users. We all wanted to create interesting software more easily. Using assembler was dreary enough that B, despite its performance problems, had been supplemented by a small library of useful service routines and was being used for more and more new programs. Among the more notable results of this period was Steve Johnson's first version of the yacc parser-generator [Johnson 79a].

The code for yacc was certainly not originally written in c - c didn't exist at that time.

In 1978 Brian Kernighan and I published The C Programming Language [Kernighan 78]. Although it did not describe some additions that soon became common, this book served as the language reference until a formal standard was adopted more than ten years later.

The "archaic behaviour" was never part of that standard - it was a mistake in early implementations while they were still "working out the details" of the language, well before K & R, as Ritchie says:

After the TMG version of B was working, Thompson rewrote B in itself (a bootstrapping step). During development, he continually struggled against memory limitations: each language addition inflated the compiler so it could barely fit, but each rewrite taking advantage of the feature reduced its size. For example, B introduced generalized assignment operators, using x=+y to add y to x. The notation came from Algol 68 [Wijngaarden 75] via McIlroy, who had incorporated it into his version of TMG. (In B and early C, the operator was spelled =+ instead of += ; this mistake, repaired in 1976, was induced by a seductively easy way of handling the first form in B's lexical analyzer.)

It wasn't an archaism in c - it was an archaism from b that was removed during the development of what became c. Small difference, and for all practical purposes, it gives the same result - previously-working code that wasn't reviewed as the language evolved towards a standard ended up with "implementation-dependent behaviour" - bugs ... The worst part is that the buggy code is syntactically correct, so no compiler warnings. Of course, if your conforming compiler doesn't give a warning, you assume that the code written with the experimental versions is still valid.

Re:

[OttoM]

You should de some background research on the history of C.

In the early 70's, a new language evolved from B. In these years, the new language was evolving quickly, but by 1973, it was mature enough to allow the Unix kernel to be rewritten in it. The makers called it C, from the same article:

By early 1973, the essentials of modern C were complete.

Who are you to say that it wasn't C?

And for certain, the yacc included in V6 was written in C, it generated C and it would soon be used to write C compilers.

Re:

[Zero__Kelvin]

"What is C code doing referencing the stack pointer directly?"

Because it is C, and C is designed to be able to do so? How do you think the Linux kernel gets implemented, though it also has Assembly to be sure. C was designed to allow implementation of Operating Systems. The capability to reference the Stack Pointer and do other assemblyie things via the asm keyword [gnu.org] is part of its charm ;-)

Was it really a bug back then?

[Just Some Guy]

Was this a bug when it was originally written, or is it only because of recent developments that it could become exploitable? For instance, the summary mentions stack size. I could imagine that a system written in 1975 would be physically incapable of the process limits we use today, so maybe the program wasn't written to check for them.

Does your software ensure that it doesn't use more than an exabyte of memory? If it doesn't, would you really call it a bug?

Re:Was it really a bug back then?

[QuantumG]

If you overflow a buffer then it's a bug, whether it is exploitable or not.

Re:Was it really a bug back then?

[russlar]

If you overflow a buffer then it's a bug, whether it is exploitable or not.

If you can overflow an exabyte-sized memory buffer, you deserve a fucking medal.

Re:

[JoshJ]

int *buffer; /*Pointer to exabyte-sized buffer*/

while(1){
  *buffer=1;
  buffer++;
}

/*Where's my medal?*/

Re:Was it really a bug back then?

[AJWM]

/*Where's my medal?*/

You'll get it when the buffer overflows. If you're running it on a system that processes a billion of those loops per second, that should be in a bit over 31 years. Scale accordingly for your processor and memory speed.

Re:

[phantomcircuit]

char *buffer; while(1) { buffer = buffer * buffer; buffer[buffer*buffer] = 0; } I can haz medal?

Re:

[Fzz]

/*Where's my medal?*/

Unless you're running on pretty rare 64-bit hardware, an int will still only be 32 bits. I can't remember what happens when you overflow 2^31 and try to de-reference a negative pointer (probably it just implicitly casts to unsigned), but you sure aren't going to overflow an exabyte buffer that way.

Re:

[JoshJ]

You're right, unsigned long would have been a better choice.

Re:

[Gazzonyx]

If you overflow a buffer then it's a bug, whether it is exploitable or not.

If you can overflow an exabyte-sized memory buffer, you deserve a fucking medal.

*insert emacs joke here*

Re:

[Just Some Guy]

If you overflow a buffer then it's a bug, whether it is exploitable or not.

It is today, but my questions is whether it was even overflowable (is that a word?) when it was written. For example, suppose it was written for a 512KB machine and had buffers that could theoretically hold 16MB, then it wasn't really a bug. The OS itself was protecting the process by its inability to manage that much data, and it wouldn't have been considered buggy to not test for provably impossible conditions.

I'm not saying that's what happened, and maybe it really was just a dumb oversight. However,

Re:

[QuantumG]

Failure to check for a buffer overflow is an error. It doesn't matter if someone else will do it for you and, as such, the error will never result in a problem for someone. It's simply wrong.

Re:

[jd]

It would have been a bug, but not necessarily one that would have security implications, though that could be system-dependent. The summary mentions a specific malloc was used to get a segfault. Another malloc library may well not have faulted. That would only matter if it was possible via the buffer overflow to get yacc to do something (such as run your code) with privileges other than those you would ordinarily have had.

Now, looking at it just as a bug, if the yacc script overflowed the buffer, yacc can

Other Unixes

[jasonmanley]

Forgive me if this is obvious but if the bug goes that far back will it not affect all other unixes that are based on this same source code - not just OpenBSD?

Re:Other Unixes

[X0563511]

Yes. But OpenBSD fixed it, so they get credit for the fix. It's up to the maintainers of the other unix(ish) versions to implement the fix.

Hilarious!

[BollocksToThis]

Funny thing is that I traced this back to Sixth Edition UNIX, released in 1975

My sides are completely split! Invite this guy to more parties.

Coincidence?

[the_arrow]

I just finished reading the "The A-Z of Programming Languages" series on Computerworld (found out about it in here [slashdot.org]), and now the next article in the series just came up and it's a chat with the creator of Yacc.
Coincidence?

And for those that want to read the interview, it can be found here [computerworld.com.au].

New tagline for OpenBSD

[kriston]

Only two or three remote holes in the default install not from 33 years ago, in more than 10 years but not less than 33 years!

Re:

[X0563511]

Sorry that message was me, didnt seem to want to keep me signed in :|

Re:

[setagllib]

Sorry that ^U I am Spartacus.

Re:

[MichaelSmith]

Lets have a BSD article for every bug in lex and yacc.

Re:You do realize..

[wb8wsf]

OpenBSD still uses GCC, version 3.3.5 on i386. I can't say which version is used on the other platforms.

You are talking of PCC, which is being worked on by some of the OpenBSD developers, but I think its a parallel project, see http://pcc.ludd.ltu.se/
for more information.

Jem Matzen talked of this too, see http://www.thejemreport.com/mambo/content/view/369/

Re:You do realize..

[incripshin]

gcc still is the default. pcc isn't ready yet, and I don't expect it to be for at least a couple years, and I say that with zero confidence (I'm just an OpenBSD user; I have no idea how the progress is going on pcc).

Re:You do realize..

[QuantumG]

yacc is not a compiler,

Excuse me?

Yet Another Compiler Compiler most definitely is a compiler.

Re:

[menace3society]

Mod parent -1 Horseshit.

yacc is a compiler, what do you think the two c's stand for?

Re:

[geminidomino]

Alternate and equivalent volume to 1 ml?