Denial of Service in mcfriend99/bird

Valid

Reported on

May 29th 2021


✍️ Description

The Bird interpreter is vulnerable to memory leaks. This occurs due to memory being allocated but never freed during the compilation/interpretation process.

🕵️‍♂️ Proof of Concept

Compile the interpreter with ASAN enabled. Run the interpreter and execute print(123) and then exit(). You will notice a message from the LeakSanitizer stating that multiple leaks have already occurred. A total of 31 bytes were leaked from invoking print. Output:

Direct leak of 11 byte(s) in 1 object(s) allocated from:
    #0 0x7f08b2229bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7f08b1f1600c in xmalloc (/lib/x86_64-linux-gnu/libreadline.so.8+0x3c00c)

Direct leak of 11 byte(s) in 1 object(s) allocated from:
    #0 0x7f08b2229bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55a62361ea8a in append_strings src/core/util.c:129
    #2 0x55a623630bec in repl src/core/bird.c:135
    #3 0x55a623630f8d in main src/core/bird.c:178
    #4 0x7f08b1f510b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f08b2229bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55a6235fc3d4 in init_value_arr src/core/value.c:14
    #2 0x55a623634973 in init_blob src/core/blob.c:12
    #3 0x55a623630436 in interpret src/core/vm.c:1962
    #4 0x55a623630c59 in repl src/core/bird.c:142
    #5 0x55a623630f8d in main src/core/bird.c:178
    #6 0x7f08b1f510b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Direct leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x7f08b2229dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    #1 0x55a623630670 in repl src/core/bird.c:47
    #2 0x55a623630f8d in main src/core/bird.c:178
    #3 0x7f08b1f510b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: 31 byte(s) leaked in 4 allocation(s).

💥 Impact

Over time, memory that was allocated but not freed will add up across the system and compiler runs. This may lead to resource exhaustion and Denial of Service with larger programs.

Jamie Slome
6 months ago

Admin


I have contacted the maintainer via a GitHub Issue. We will await their response.

Ore Richard Muyiwa confirmed that a fix has been merged on bac3f3 6 months ago
Ore Richard Muyiwa has been awarded the fix bounty