Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp #2786

Closed
zyingp opened this issue Dec 4, 2018 · 2 comments
Closed

Null pointer dereference in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp #2786

zyingp opened this issue Dec 4, 2018 · 2 comments
Labels
Bug - Should Error Dev - Test Written Fuzzy

Comments

@zyingp
Copy link

zyingp commented Dec 4, 2018

I fuzzed and found another null pointer dereference problem in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp. The problem exists in both the 3.5.5 version and the master branch (2018/12/2), with the same crash stack.

Build libsass/sassc with ASan:
CXX=clang++ CC=clang CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS make -C sassc -j4

Run ./sassc sass_npd and program crashes.
(sass_npd is at here: https://github.com/zyingp/temp/blob/master/sass_npd)

Crash stack

Crash stack (of master branch):

AddressSanitizer:DEADLYSIGNAL
=================================================================
==42416==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010832659a bp 0x7ffee7ded890 sp 0x7ffee7ded5e0 T0)
==42416==The signal is caused by a READ memory access.
==42416==Hint: address points to the zero page.
    #0 0x108326599 in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp:1326
    #1 0x107e9b3c6 in Sass::Supports_Operator::perform(Sass::Operation<Sass::Value*>*) ast_supports.hpp:73
    #2 0x1083693ed in Sass::Expand::operator()(Sass::Supports_Block*) expand.cpp:162
    #3 0x107e9b073 in Sass::Supports_Block::perform(Sass::Operation<Sass::Value*>*) ast_supports.hpp:45
    #4 0x10836305c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #5 0x108361950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #6 0x107f82193 in Sass::Context::compile() context.cpp:678
    #7 0x107f7e9bb in Sass::File_Context::parse() context.cpp:605
    #8 0x108589400 in Sass::sass_parse_block(Sass_Compiler*) sass_context.cpp:234
    #9 0x108588b8a in sass_compiler_parse sass_context.cpp:483
    #10 0x1085882f9 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #11 0x10858871d in sass_compile_file_context sass_context.cpp:470
    #12 0x107e10796 in compile_file sassc.c:158
    #13 0x107e110d6 in main sassc.c:370
    #14 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

==42416==Register values:
rax = 0x0000100000000000  rbx = 0x00007ffee7ded700  rcx = 0x0000000000000000  rdx = 0x0000100000000000  
rdi = 0x00007ffee7ded620  rsi = 0x00007ffee7ded620  rbp = 0x00007ffee7ded890  rsp = 0x00007ffee7ded5e0  
 r8 = 0x00001c18000003ed   r9 = 0x00001c18000003e0  r10 = 0x00001c18000003ed  r11 = 0xffffe0c118215698  
r12 = 0x00007ffee7deed70  r13 = 0x000060d000000450  r14 = 0x00007ffee7deed88  r15 = 0x000060d000000380  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV eval.cpp:1326 in Sass::Eval::operator()(Sass::Supports_Operator*)
==42416==ABORTING

It seems that in function Expression_Ptr Eval::operator()(Supports_Operator_Ptr c), the right variable (not Null) is casted and becomes a Null Supports_Condition SharedObj at line Cast<Supports_Condition>(right),.

  Expression_Ptr Eval::operator()(Supports_Operator_Ptr c)
  {
    Expression_Ptr left = c->left()->perform(this);
    Expression_Ptr right = c->right()->perform(this);
    Supports_Operator_Ptr cc = SASS_MEMORY_NEW(Supports_Operator,
                                 c->pstate(),
                                 Cast<Supports_Condition>(left),
                                 Cast<Supports_Condition>(right),
                                 c->operand());
    return cc;
  }
@glebm
Copy link
Contributor

glebm commented Dec 4, 2018

Minimal example:

@supports (foo: bar) or {
}

Dart Sass:

Error: expected "(".
@supports (foo: bar) or {
                        ^

Ruby Sass:

sass ~/tmp/npd.scss        
Error: Invalid CSS after "...(foo: bar) or  ": expected @supports condition (e.g. (display: flexbox)), was "{"

@mgreter mgreter closed this as completed Dec 29, 2018
@mgreter mgreter reopened this Dec 29, 2018
glebm added a commit to glebm/libsass that referenced this issue Apr 4, 2019
@glebm
Error on incomplete @supports clause in parser
1018376 
Fixes sass#2786
@glebm glebm mentioned this issue Apr 4, 2019
Merged
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
3d7529d
glebm added a commit to glebm/libsass that referenced this issue Apr 4, 2019
@glebm
Error on incomplete @supports clause in parser
98d8d5d 
Fixes sass#2786

Spec added in sass/sass-spec#1370
@glebm glebm mentioned this issue Apr 4, 2019
Merged
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
6ad10c4
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
812cb78
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
6c70f80
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
e457f01
glebm added a commit to glebm/sass-spec that referenced this issue Apr 4, 2019
@glebm
Add test for sass/libsass#2786
e10c17e
nex3 pushed a commit to sass/sass-spec that referenced this issue Apr 4, 2019
@glebm @nex3
Add test for sass/libsass#2786 (#1370)
53c8f41
xzyfer pushed a commit that referenced this issue Apr 5, 2019
@glebm @xzyfer
Error on incomplete @supports clause in parser (#2860)
69ae7ef 
Fixes #2786

Spec added in sass/sass-spec#1370
@xi
Copy link

xi commented Jun 5, 2019

Assigned CVE-2018-20190

@danielgefen danielgefen mentioned this issue Oct 5, 2019
Closed
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug - Should Error Dev - Test Written Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xi @glebm @mgreter @zyingp