AddressSanitizer: heap-use-after-free in libsass

[glen-mac]

Hey there, I have discovered a use after free vulnerability in libsass.

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

After testing all releases, it is evident this was introduced in release 3.4.7 of libsass.

Compile flags to reproduce:
CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

You can find the case file here.

ASAN report is as follows:

==31334==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000005050 at pc 0x0000005acd0e bp 0x7ffccd9a6550 sp 0x7ffccd9a6548
READ of size 1 at 0x604000005050 thread T0
    #0 0x5acd0d in Sass::handle_error(Sass_Context*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:79:28
    #1 0x5a0d42 in Sass::handle_errors(Sass_Context*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:211:18
    #2 0x5a0d42 in Sass::sass_parse_block(Sass_Compiler*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:257
    #3 0x5a0d42 in sass_compiler_parse /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:487
    #4 0x59e9a1 in sass_compile_context(Sass_Context*, Sass::Context*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:375:7
    #5 0x59e5a7 in sass_compile_data_context /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:460:12
    #6 0x58d1e7 in compile_stdin /home/ubuntu/fuzz_proj/sassc/sassc.c:138:5
    #7 0x58e369 in main /home/ubuntu/fuzz_proj/sassc/sassc.c:375:18
    #8 0x7ff874ba782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x49aed8 in _start (/home/vagrant/shared/sassc+0x49aed8)

0x604000005050 is located 0 bytes inside of 34-byte region [0x604000005050,0x604000005072)
freed by thread T0 here:
    #0 0x5533a0 in __interceptor_cfree.localalias.0 (/home/vagrant/shared/sassc+0x5533a0)
    #1 0x6af62a in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/ext/new_allocator.h:110:9
    #2 0x6af62a in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/alloc_traits.h:517
    #3 0x6af62a in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:185
    #4 0x6af62a in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:180
    #5 0x6af62a in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:543
    #6 0x6af62a in Sass::Functions::selector_nest(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >) /home/ubuntu/fuzz_proj/libsass/src/functions.cpp:1982
    #7 0x8fa3e9 in Sass::Eval::operator()(Sass::Function_Call*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:1030:18
    #8 0x8d1cb1 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:727:16
    #9 0x8cbe87 in Sass::Eval::operator()(Sass::List*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:503:27
    #10 0x8c7df4 in Sass::Eval::operator()(Sass::Debug*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:425:42
    #11 0x9416a9 in Sass::Expand::operator()(Sass::Debug*) /home/ubuntu/fuzz_proj/libsass/src/expand.cpp:388:8
    #12 0x92fc6d in Sass::Expand::operator()(Sass::Block*) /home/ubuntu/fuzz_proj/libsass/src/expand.cpp:81:11
    #13 0x600444 in Sass::Context::compile() /home/ubuntu/fuzz_proj/libsass/src/context.cpp:659:12
    #14 0x5fe9a1 in Sass::Data_Context::parse() /home/ubuntu/fuzz_proj/libsass/src/context.cpp:630:12
    #15 0x59fc78 in Sass::sass_parse_block(Sass_Compiler*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:238:31
    #16 0x59fc78 in sass_compiler_parse /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:487
    #17 0x59e9a1 in sass_compile_context(Sass_Context*, Sass::Context*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:375:7
    #18 0x58e369 in main /home/ubuntu/fuzz_proj/sassc/sassc.c:375:18
    #19 0x7ff874ba782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x553558 in __interceptor_malloc (/home/vagrant/shared/sassc+0x553558)
    #1 0x7ff875619e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
    #2 0xbc6723 in Sass::AST_Node::to_string[abi:cxx11](Sass_Inspect_Options) const /home/ubuntu/fuzz_proj/libsass/src/ast.cpp:2067:14
    #3 0x6ad914 in Sass::Functions::selector_nest(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >) /home/ubuntu/fuzz_proj/libsass/src/functions.cpp:1979:36
    #4 0x8fa3e9 in Sass::Eval::operator()(Sass::Function_Call*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:1030:18
    #5 0x8d1cb1 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:727:16
    #6 0x8cbe87 in Sass::Eval::operator()(Sass::List*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:503:27
    #7 0x8c7df4 in Sass::Eval::operator()(Sass::Debug*) /home/ubuntu/fuzz_proj/libsass/src/eval.cpp:425:42
    #8 0x9416a9 in Sass::Expand::operator()(Sass::Debug*) /home/ubuntu/fuzz_proj/libsass/src/expand.cpp:388:8
    #9 0x92fc6d in Sass::Expand::operator()(Sass::Block*) /home/ubuntu/fuzz_proj/libsass/src/expand.cpp:81:11
    #10 0x600444 in Sass::Context::compile() /home/ubuntu/fuzz_proj/libsass/src/context.cpp:659:12
    #11 0x5fe9a1 in Sass::Data_Context::parse() /home/ubuntu/fuzz_proj/libsass/src/context.cpp:630:12
    #12 0x59fc78 in Sass::sass_parse_block(Sass_Compiler*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:238:31
    #13 0x59fc78 in sass_compiler_parse /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:487
    #14 0x59e9a1 in sass_compile_context(Sass_Context*, Sass::Context*) /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:375:7
    #15 0x58e369 in main /home/ubuntu/fuzz_proj/sassc/sassc.c:375:18
    #16 0x7ff874ba782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /home/ubuntu/fuzz_proj/libsass/src/sass_context.cpp:79:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
  0x0c087fff89b0: fa fa 00 00 00 00 02 fa fa fa fd fd fd fd fd fd
  0x0c087fff89c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff89d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff89e0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c087fff89f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff8a00: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
  0x0c087fff8a10: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
  0x0c087fff8a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8a40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31334==ABORTING

[carnil]

This issue was assigned CVE-2018-11499

[xzyfer]

Thanks for the report. I'm on vacation. I'll take a look when I'm back.

…

On Sun., 27 May 2018, 10:46 am carnil, ***@***.***> wrote: This issue was assigned CVE-2018-11499 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2643 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWMaSnz6qhhUgzw76FHVKJ5-4l1FTks5t2mfmgaJpZM4TurzO> .

[xzyfer]

Thanks for the report.
We confirmed this issue shares a common root cause to other reported issues.
We have assigned the selector-validation to the affected issues.

[VictorRodriguez]

@xzyfer thanks a lot for the great support, do you have the patch of the common root cause issue?

[VictorRodriguez]

Hi, I was trying to fix the issue and find out that the heap-use-after-free points to the line:
https://github.com/sass/libsass/blob/master/src/sass_context.cpp#L79
is that correct? if so where is the free before assigning const char* line_end = line_beg ?