Skip to content

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::handle_error (libsass/src/sass_context.cpp:85:28) #2662

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
glen-mac opened this issue Jun 3, 2018 · 2 comments
Closed

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::handle_error (libsass/src/sass_context.cpp:85:28) #2662

glen-mac opened this issue Jun 3, 2018 · 2 comments
Assignees
@xzyfer
Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018

Hey there, I have discovered a single byte out-of-bands read (OOB) in libsass at: sass_context.cpp:85:28

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.4.9 until the commit listed above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ sassc/bin/sassc < crash.file
/home/glenn/temp/fuzz_proj/afl/out/SESSION003/crashes/id:000039,sig:06,src:002724,op:havoc,rep:64
=================================================================
==14475==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ee1c at pc 0x00000052450e bp 0x7fff9c2c1b50 sp 0x7fff9c2c1b48
READ of size 1 at 0x60600000ee1c thread T0
    #0 0x52450d in Sass::handle_error(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:85:28
    #1 0x52069d in Sass::handle_errors(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:211:18
    #2 0x52069d in Sass::sass_parse_block(Sass_Compiler*) /home/glenn/temp/libsass/src/sass_context.cpp:257
    #3 0x52069d in sass_compiler_parse /home/glenn/temp/libsass/src/sass_context.cpp:487
    #4 0x51f6d9 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glenn/temp/libsass/src/sass_context.cpp:375:7
    #5 0x51707d in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:138:5
    #6 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #7 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x4456d8 in _start (/home/glenn/temp/findsass/sassc/bin/sassc+0x4456d8)

0x60600000ee1c is located 0 bytes to the right of 60-byte region [0x60600000ede0,0x60600000ee1c)
allocated by thread T0 here:
    #0 0x4e5b88 in realloc (/home/glenn/temp/findsass/sassc/bin/sassc+0x4e5b88)
    #1 0x516fdb in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:112:25
    #2 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #3 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/libsass/src/sass_context.cpp:85:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
  0x0c0c7fff9d70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9d80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9d90: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9da0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9db0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9dc0: 00 00 00[04]fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff9df0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14475==ABORTING
xzyfer added a commit to xzyfer/libsass that referenced this issue Jun 21, 2018
@xzyfer
Fix invalid utf-8 error reporting
d4448c9 
Fixes sass#2662
@xzyfer xzyfer mentioned this issue Jun 21, 2018
Closed
@xzyfer
Copy link
Contributor

xzyfer commented Jun 21, 2018

Thanks @glen-mac .
I've confirmed the issue with test_s102.txt.
A fix has been provided in #2677.

@xzyfer xzyfer self-assigned this Jun 21, 2018
@glebm
Copy link
Contributor

glebm commented Nov 23, 2018
edited
Loading

This was fixed in #2755, specifically 8f40dc0

Tested all cases on master

@glebm glebm added the Fuzzy label Apr 15, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@xzyfer xzyfer

Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@glebm @xzyfer @nschonni @glen-mac