Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: stack-overflow in Eval::operator() (eval.cpp:563) #2659

Closed
hongxuchen opened this issue Jun 2, 2018 · 2 comments
Closed

AddressSanitizer: stack-overflow in Eval::operator() (eval.cpp:563) #2659

hongxuchen opened this issue Jun 2, 2018 · 2 comments
Assignees
@xzyfer
Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy

Comments

@hongxuchen
Copy link

We found with our fuzzer some stack over flow errors in Sass::Eval::operator() (eval.cpp, 45f5087) when compiled with Address Sanitizer (using sassc as the driver).

ASAN:SIGSEGV
=================================================================
==17362==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe362605b0 (pc 0x7f7c51f2f7fe bp 0x7ffe36261810 sp 0x7ffe36260510 T0)
    #0 0x7f7c51f2f7fd in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:563
    #1 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #2 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #3 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #4 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #5 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #6 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #7 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #8 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
...
    #248 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #249 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #250 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595
    #251 0x7f7c51f2fe37 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:595

SUMMARY: AddressSanitizer: stack-overflow /home/hongxu/FUZZ/libsass-orig/src/eval.cpp:563 Sass::Eval::operator()(Sass::Binary_Expression*)
==17362==ABORTING

Sample input files:
test_s102.txt
test_s401.txt
test_s601.txt
@hongxuchen hongxuchen changed the title Stack Over flow errors in Eval::operator() AddressSanitizer: stack-overflow in Eval::operator() (eval.cpp:563) Jun 3, 2018
@xzyfer xzyfer self-assigned this Jun 21, 2018
xzyfer added a commit to xzyfer/libsass that referenced this issue Jun 21, 2018
@xzyfer
Remove legacy workaround for parsing modulo operator
f8416a6 
Fixes sass#2659
@xzyfer xzyfer mentioned this issue Jun 21, 2018
Merged
@xzyfer
Copy link
Contributor

xzyfer commented Jun 21, 2018

Thanks @hongxuchen.
I've confirmed the issue with test_s102.txt.
A fix has been provided in #2675.

xzyfer added a commit to xzyfer/libsass that referenced this issue Jun 21, 2018
@xzyfer
Remove legacy workaround for parsing modulo operator
e8f286f 
Fixes sass#2659
xzyfer added a commit that referenced this issue Jun 21, 2018
@xzyfer
Remove legacy workaround for parsing modulo operator
df8152d 
Fixes #2659
xzyfer added a commit that referenced this issue Jul 3, 2018
@xzyfer
Remove legacy workaround for parsing modulo operator
210fdff 
Fixes #2659
@glebm glebm added the Fuzzy label Apr 15, 2019
@xi
Copy link

xi commented Jun 5, 2019

Assigned CVE-2018-19837

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xzyfer xzyfer

Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xi @glebm @xzyfer @hongxuchen