Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: stack-overflow when creating String_Schema_Obj (parser.cpp:1808) #2658

Closed
hongxuchen opened this issue Jun 2, 2018 · 4 comments · Fixed by #2876
Closed

AddressSanitizer: stack-overflow when creating String_Schema_Obj (parser.cpp:1808) #2658

hongxuchen opened this issue Jun 2, 2018 · 4 comments · Fixed by #2876
Labels
Fuzzy

Comments

@hongxuchen
Copy link

We found with our fuzzer some stack over flow errors when constructing String_Schema_Obj at Line 1808 in parser.cpp (45f5087) when compiled with Address Sanitizer (using sassc as the driver).

ASAN:SIGSEGV
=================================================================
==17368==ERROR: AddressSanitizer: stack-overflow on address 0x7fff100a5b48 (pc 0x7f979147d485 bp 0x7fff100a6390 sp 0x7fff100a5b30 T0)
    #0 0x7f979147d484 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99484)
    #1 0x7f9790f2e592 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1808
    #2 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #3 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #4 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #5 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #6 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #7 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #8 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #9 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #10 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #11 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #12 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #13 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #14 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #15 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #16 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #17 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #18 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #19 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
...
    #248 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #249 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835
    #250 0x7f9790f31fd8 in Sass::Parser::parse_css_variable_value(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1794
    #251 0x7f9790f2faf0 in Sass::Parser::parse_css_variable_value_token(bool) /home/hongxu/FUZZ/libsass-orig/src/parser.cpp:1835

SUMMARY: AddressSanitizer: stack-overflow ??:0 operator new(unsigned long)
==17368==ABORTING

sample inputs:
test_s101.txt
test_s203.txt
test_s205.txt
test_s402.txt
@hongxuchen
Copy link
Author

hongxuchen commented Jun 3, 2018
edited
Loading

Other relevant input files (some of them emit different different call stacks in different runs):
so_parser.cpp:1808_01.txt
so_parser.cpp:1792_01.txt
so_parser.cpp:1792_02.txt
so_parser.cpp:1846_01.txt

@hongxuchen hongxuchen changed the title Stack over flow errors when creating String_Schema_Obj AddressSanitizer: stack-overflow when creating String_Schema_Obj (parser.cpp:1808) Jun 3, 2018
@glebm
Copy link
Contributor

glebm commented Apr 10, 2019

Still broken on master

@glebm
Copy link
Contributor

glebm commented Apr 10, 2019

Minimal repro:

echo "a{--b:$(printf '[%.0s' {1..2800})" | sassc/bin/sassc

@mgreter mgreter added the Fuzzy label Apr 12, 2019
glebm added a commit to glebm/libsass that referenced this issue Apr 14, 2019
@glebm
Make parse_css_variable_value non-recursive
9da98b5 
Fixes sass#2658 stack overflow
@glebm glebm mentioned this issue Apr 14, 2019
Merged
glebm added a commit to glebm/libsass that referenced this issue Apr 14, 2019
@glebm
Make parse_css_variable_value non-recursive
db41c84 
Fixes sass#2658 stack overflow
glebm added a commit to glebm/libsass that referenced this issue Apr 14, 2019
@glebm
Make parse_css_variable_value non-recursive
c9987a4 
Fixes sass#2658 stack overflow
glebm added a commit that referenced this issue Apr 15, 2019
@glebm
Make parse_css_variable_value non-recursive
f2db048 
Fixes #2658 stack overflow
@xi
Copy link

xi commented Jun 5, 2019

Assigned CVE-2018-20821

@danielgefen danielgefen mentioned this issue Oct 5, 2019
Closed
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fuzzy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make parse_css_variable_value non-recursive glebm/libsass
4 participants
@xi @glebm @mgreter @hongxuchen