From nobody@FreeBSD.org  Sun Jul 13 20:17:58 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7A7D11065671
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Jul 2008 20:17:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 6323C8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Jul 2008 20:17:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m6DKHwWo069902
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Jul 2008 20:17:58 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m6DKHvTB069901;
	Sun, 13 Jul 2008 20:17:58 GMT
	(envelope-from nobody)
Message-Id: <200807132017.m6DKHvTB069901@www.freebsd.org>
Date: Sun, 13 Jul 2008 20:17:58 GMT
From: Bruce Cran <bruce@cran.org.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: yacc(1) - out of bounds stack access bug
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         125585
>Category:       bin
>Synopsis:       [patch] yacc(1) - out of bounds stack access bug
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kevlo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 13 20:20:02 UTC 2008
>Closed-Date:    Thu Jul 24 01:17:40 UTC 2008
>Last-Modified:  Thu Jul 24 01:17:40 UTC 2008
>Originator:     Bruce Cran
>Release:        8.0-CURRENT
>Organization:
>Environment:
FreeBSD mac.draftnet 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri Jun 13 04:16:23 BST 2008     brucec@mac.draftnet:/usr/obj/usr/src/sys/GENERIC  powerpc
>Description:
Otto Moerbeek found a bug in OpenBSD's yacc(1) (http://undeadly.org/cgi?action=article&sid=20080708155228) which looks like it might be present in FreeBSD's version too.  From the cvs log:

Modified files:
	usr.bin/yacc   : skeleton.c 

Log message:
Fix an venerable bug: if we're reducing a rule that has an empty
right hand side and the yacc stackpointer is pointing at the very
end of the allocated stack, we end up accessing the stack out of
bounds by the implicit $$ = $1 action.  Detected by my new malloc,
experienced by sturm@ on sparc64; ok deraadt@

The diff in OpenBSD can be seen at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Fri Jul 18 19:42:28 UTC 2008 
State-Changed-Why:  
Fixed in HEAD. 


Responsible-Changed-From-To: freebsd-bugs->kevlo 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Fri Jul 18 19:42:28 UTC 2008 
Responsible-Changed-Why:  
Kevin, please consider an MFC of the fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125585 
State-Changed-From-To: patched->		 closed 
State-Changed-By: kevlo 
State-Changed-When: Thu Jul 24 01:15:39 UTC 2008 
State-Changed-Why:  
MFC'd the fix in RELENG_6 and RELENG_7 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125585 
>Unformatted:
