Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in sassc #3001

Closed
c0d3xpl0it opened this issue Oct 7, 2019 · 1 comment · Fixed by #3027
Closed

SEGV in sassc #3001

c0d3xpl0it opened this issue Oct 7, 2019 · 1 comment · Fixed by #3027
Labels
Bug - Confirmed Dev - Needs Test

Comments

@c0d3xpl0it
Copy link

c0d3xpl0it commented Oct 7, 2019
edited by mgreter

We found SEGV in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 4da7c4b
Command : sassc POC

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
POC : POC.scss.zip

&&

ASAN Output

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2
sass2scss: 1.1.1
sass: 3.5
fuzzer@fuzzer:~/victim/libsass/sassc/bin$

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc POC
ASAN:DEADLYSIGNAL
=================================================================
==24568==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000009634ba bp 0x7ffeca0c6ff0 sp 0x7ffeca0c68c0 T0)
    #0 0x9634b9 in Sass::SharedPtr::SharedPtr(Sass::SharedPtr const&) /home/fuzzer/victim/libsass/src/memory/SharedPtr.hpp:116:53
    #1 0x9634b9 in Sass::SharedImpl<Sass::SimpleSelector>::SharedImpl(Sass::SharedImpl<Sass::SimpleSelector> const&) /home/fuzzer/victim/libsass/src/memory/SharedPtr.hpp:183
    #2 0x9634b9 in Sass::Parser::parseCompoundSelector() /home/fuzzer/victim/libsass/src/parser_selectors.cpp:143
    #3 0x960761 in Sass::Parser::parseComplexSelector(bool) /home/fuzzer/victim/libsass/src/parser_selectors.cpp:42:47
    #4 0x9696f1 in Sass::Parser::parseSelectorList(bool) /home/fuzzer/victim/libsass/src/parser_selectors.cpp:82:36
    #5 0x833ef6 in Sass::Parser::parse_ruleset(Lookahead) /home/fuzzer/victim/libsass/src/parser.cpp:530:25
    #6 0x7ff8eb in Sass::Parser::parse_block_node(bool) /home/fuzzer/victim/libsass/src/parser.cpp:278:21
    #7 0x7f419f in Sass::Parser::parse_block_nodes(bool) /home/fuzzer/victim/libsass/src/parser.cpp:189:11
    #8 0x7eea0f in Sass::Parser::parse() /home/fuzzer/victim/libsass/src/parser.cpp:115:5
    #9 0x5981a5 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /home/fuzzer/victim/libsass/src/context.cpp:306:22
    #10 0x5b17c3 in Sass::File_Context::parse() /home/fuzzer/victim/libsass/src/context.cpp:576:5
    #11 0x55195e in Sass::sass_parse_block(Sass_Compiler*) /home/fuzzer/victim/libsass/src/sass_context.cpp:180:22
    #12 0x55195e in sass_compiler_parse /home/fuzzer/victim/libsass/src/sass_context.cpp:434
    #13 0x5503d4 in sass_compile_context(Sass_Context*, Sass::Context*) /home/fuzzer/victim/libsass/src/sass_context.cpp:317:7
    #14 0x550ac1 in sass_compile_file_context /home/fuzzer/victim/libsass/src/sass_context.cpp:421:12
    #15 0x53f1ce in compile_file /home/fuzzer/victim/libsass/sassc/sassc.c:173:5
    #16 0x540284 in main /home/fuzzer/victim/libsass/sassc/sassc.c:387:18
    #17 0x7f578e25e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x46d1d8 in _start (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x46d1d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzzer/victim/libsass/src/memory/SharedPtr.hpp:116:53 in Sass::SharedPtr::SharedPtr(Sass::SharedPtr const&)
==24568==ABORTING
fuzzer@fuzzer:~/victim/libsass/sassc/bin$
@mgreter mgreter mentioned this issue Nov 2, 2019
Closed
mgreter added a commit to mgreter/libsass that referenced this issue Nov 2, 2019
@mgreter
Fix nullptr access on interpolated parents
ba1cbe3 
Fixes sass#3001
mgreter added a commit to mgreter/libsass that referenced this issue Nov 2, 2019
@mgreter
Fix out of boundary vector access
c24c051 
Fixes sass#3001
mgreter added a commit to mgreter/libsass that referenced this issue Nov 2, 2019
@mgreter
Fix nullptr access on interpolated parents
3947034 
Fixes sass#3001
mgreter added a commit to mgreter/libsass that referenced this issue Nov 2, 2019
@mgreter
Fix out of boundary vector access
72582bf 
Fixes sass#3001
mgreter added a commit to mgreter/libsass that referenced this issue Nov 2, 2019
@mgreter
Fix out of boundary vector access
994695c 
Fixes sass#3001
This was referenced Nov 2, 2019
Merged
Closed
@nluedtke
Copy link

Being tracked as CVE-2019-18799.

@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug - Confirmed Dev - Needs Test
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix a few segfaults mgreter/libsass
3 participants
@mgreter @c0d3xpl0it @nluedtke