Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::handle_error (libsass/src/sass_context.cpp:85:28) #2662

Closed
glen-mac opened this issue Jun 3, 2018 · 2 comments
Closed

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::handle_error (libsass/src/sass_context.cpp:85:28) #2662

glen-mac opened this issue Jun 3, 2018 · 2 comments
Assignees
@xzyfer
Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018

Hey there, I have discovered a single byte out-of-bands read (OOB) in libsass at: sass_context.cpp:85:28

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.4.9 until the commit listed above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ sassc/bin/sassc < crash.file
/home/glenn/temp/fuzz_proj/afl/out/SESSION003/crashes/id:000039,sig:06,src:002724,op:havoc,rep:64
=================================================================
==14475==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ee1c at pc 0x00000052450e bp 0x7fff9c2c1b50 sp 0x7fff9c2c1b48
READ of size 1 at 0x60600000ee1c thread T0
    #0 0x52450d in Sass::handle_error(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:85:28
    #1 0x52069d in Sass::handle_errors(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:211:18
    #2 0x52069d in Sass::sass_parse_block(Sass_Compiler*) /home/glenn/temp/libsass/src/sass_context.cpp:257
    #3 0x52069d in sass_compiler_parse /home/glenn/temp/libsass/src/sass_context.cpp:487
    #4 0x51f6d9 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glenn/temp/libsass/src/sass_context.cpp:375:7
    #5 0x51707d in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:138:5
    #6 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #7 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x4456d8 in _start (/home/glenn/temp/findsass/sassc/bin/sassc+0x4456d8)

0x60600000ee1c is located 0 bytes to the right of 60-byte region [0x60600000ede0,0x60600000ee1c)
allocated by thread T0 here:
    #0 0x4e5b88 in realloc (/home/glenn/temp/findsass/sassc/bin/sassc+0x4e5b88)
    #1 0x516fdb in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:112:25
    #2 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #3 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/libsass/src/sass_context.cpp:85:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
  0x0c0c7fff9d70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9d80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9d90: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9da0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9db0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9dc0: 00 00 00[04]fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff9df0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14475==ABORTING
xzyfer added a commit to xzyfer/libsass that referenced this issue Jun 21, 2018
@xzyfer
Fix invalid utf-8 error reporting
d4448c9 
Fixes sass#2662
@xzyfer xzyfer mentioned this issue Jun 21, 2018
Closed
@xzyfer
Copy link
Contributor

xzyfer commented Jun 21, 2018

Thanks @glen-mac .
I've confirmed the issue with test_s102.txt.
A fix has been provided in #2677.

@xzyfer xzyfer self-assigned this Jun 21, 2018
@glebm
Copy link
Contributor

glebm commented Nov 23, 2018
edited

This was fixed in #2755, specifically 8f40dc0

Tested all cases on master

@glebm glebm added the Fuzzy label Apr 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xzyfer xzyfer

Labels
Back port to 3.5 stable Bug - Confirmed Dev - PR Ready Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@glebm @xzyfer @nschonni @glen-mac