AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::Prelexer::skip_over_scopes (libsass/src/prelexer.hpp:69:14)

[glen-mac]

Hey there, I have discovered a single byte out-of-bands read (OOB) in libsass at: prelexer.hpp:69:14

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.2.0 until the commit listed above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ sassc/bin/sassc < crash.file
=================================================================
==12294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000dffc at pc 0x000000804138 bp 0x7ffd55ba7d20 sp 0x7ffd55ba7d18
READ of size 1 at 0x60700000dffc thread T0
    #0 0x804137 in char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<&Sass::Constants::hash_lbrace>(char const*)), &(char const* Sass::Prelexer::exactly<&Sass::Constants::rbrace>(char const*))>(char const*, char const*) /home/glenn/temp/findsass/libsass/prelexer.hpp:68:14
    #1 0x78ca33 in char const* Sass::Parser::peek<&Sass::Prelexer::interpolant>(char const*) /home/glenn/temp/findsass/libsass/parser.hpp:114:14
    #2 0x78ca33 in Sass::Parser::lookahead_for_selector(char const*) /home/glenn/temp/findsass/libsass/parser.cpp:2025
    #3 0x76c877 in Sass::Parser::parse() /home/glenn/temp/findsass/libsass/parser.cpp:152:36
    #4 0x5271a0 in Sass::Context::parse_file() /home/glenn/temp/findsass/libsass/context.cpp:323:20
    #5 0x52b276 in Sass::Context::parse_string() /home/glenn/temp/findsass/libsass/context.cpp:363:14
    #6 0x4fbfad in sass_parse_block(Sass_Compiler*) /home/glenn/temp/findsass/libsass/sass_context.cpp:505:16
    #7 0x4fbfad in sass_compiler_parse /home/glenn/temp/findsass/libsass/sass_context.cpp:652
    #8 0x4fae24 in sass_compile_context(Sass_Context*, Sass::Context::Data) /home/glenn/temp/findsass/libsass/sass_context.cpp:536:7
    #9 0x4faa3c in sass_compile_data_context /home/glenn/temp/findsass/libsass/sass_context.cpp:623:12
    #10 0x4effcf in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:86:5
    #11 0x4f132f in main /home/glenn/temp/findsass/sassc/sassc.c:282:18
    #12 0x7f5eddf8e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #13 0x41e4a8 in _start (/home/glenn/temp/findsass/sassc/bin/sassc+0x41e4a8)

0x60700000dffc is located 0 bytes to the right of 76-byte region [0x60700000dfb0,0x60700000dffc)
allocated by thread T0 here:
    #0 0x4be958 in realloc (/home/glenn/temp/findsass/sassc/bin/sassc+0x4be958)
    #1 0x4efed2 in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:68:25
    #2 0x4f132f in main /home/glenn/temp/findsass/sassc/sassc.c:282:18
    #3 0x7f5eddf8e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/findsass/libsass/prelexer.hpp:68:14 in char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<&Sass::Constants::hash_lbrace>(char const*)), &(char const* Sass::Prelexer::exactly<&Sass::Constants::rbrace>(char const*))>(char const*, char const*)
Shadow bytes around the buggy address:
  0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff9bc0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff9bd0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9be0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff9bf0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00[04]
  0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12294==ABORTING

[xzyfer]

Thanks @glen-mac .
I've confirmed the issue with test_s102.txt.
A fix has been provided in #2676.

[xi]

Assigned CVE-2018-11693