$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This bug was found to be in libsass releases from 3.4.9 until the commit listed above.
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
↳ sassc/bin/sassc < crash.file
/home/glenn/temp/fuzz_proj/afl/out/SESSION003/crashes/id:000039,sig:06,src:002724,op:havoc,rep:64
=================================================================
==14475==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ee1c at pc 0x00000052450e bp 0x7fff9c2c1b50 sp 0x7fff9c2c1b48
READ of size 1 at 0x60600000ee1c thread T0
#0 0x52450d in Sass::handle_error(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:85:28
#1 0x52069d in Sass::handle_errors(Sass_Context*) /home/glenn/temp/libsass/src/sass_context.cpp:211:18
#2 0x52069d in Sass::sass_parse_block(Sass_Compiler*) /home/glenn/temp/libsass/src/sass_context.cpp:257
#3 0x52069d in sass_compiler_parse /home/glenn/temp/libsass/src/sass_context.cpp:487
#4 0x51f6d9 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glenn/temp/libsass/src/sass_context.cpp:375:7
#5 0x51707d in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:138:5
#6 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
#7 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x4456d8 in _start (/home/glenn/temp/findsass/sassc/bin/sassc+0x4456d8)
0x60600000ee1c is located 0 bytes to the right of 60-byte region [0x60600000ede0,0x60600000ee1c)
allocated by thread T0 here:
#0 0x4e5b88 in realloc (/home/glenn/temp/findsass/sassc/bin/sassc+0x4e5b88)
#1 0x516fdb in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:112:25
#2 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
#3 0x7f862af4c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/libsass/src/sass_context.cpp:85:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
0x0c0c7fff9d70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9d80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff9d90: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9da0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9db0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9dc0: 00 00 00[04]fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff9df0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14475==ABORTING
The text was updated successfully, but these errors were encountered:
xzyfer
added a commit
to xzyfer/libsass
that referenced
this issue
Jun 21, 2018
Hey there, I have discovered a single byte out-of-bands read (OOB) in libsass at: sass_context.cpp:85:28
Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.
Compile flags to reproduce:
System information:
This bug was found to be in libsass releases from 3.4.9 until the commit listed above.
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
The text was updated successfully, but these errors were encountered: