Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【fuzz】heap-buffer-overflow #3138

Open
qweryzh opened this issue Dec 8, 2020 · 0 comments
Open

【fuzz】heap-buffer-overflow #3138

qweryzh opened this issue Dec 8, 2020 · 0 comments
Labels
Fuzzy

Comments

@qweryzh
Copy link

qweryzh commented Dec 8, 2020

we fuzz-test about latest 3.6.4 libsass and find a heap-buffer-overflow bug to be fixed:
steps:
1、build
python3 infra/helper.py build_fuzzers --sanitizer address libsass
2、run
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer -rss_limit_mb=0
error messages listed:
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003815 at pc 0x0000005a3a27 bp 0x7ffcbbed05d0 sp 0x7ffcbbed05c8
READ of size 1 at 0x602000003815 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x5a3a26 in Sass::handle_error(Sass_Context*) /src/libsass/src/sass_context.cpp:81:28
#1 0x59d780 in handle_errors /src/libsass/src/sass_context.cpp:207:18
#2 0x59d780 in sass_parse_block /src/libsass/src/sass_context.cpp:253:19
#3 0x59d780 in sass_compiler_parse /src/libsass/src/sass_context.cpp:483:22
#4 0x59c744 in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:371:7
#5 0x599f86 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
#6 0x4a21d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#7 0x4a1915 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#8 0x4a39e7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#9 0x4a4465 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#10 0x49343e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#11 0x4bbc12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#12 0x7f390c9c482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x467b48 in _start (/out/data_context_fuzzer+0x467b48)

0x602000003815 is located 2 bytes to the right of 3-byte region [0x602000003810,0x602000003813)
allocated by thread T0 here:
#0 0x56788d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x599f00 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:4:29
#2 0x4a21d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#3 0x4a1915 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#4 0x4a39e7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#5 0x4a4465 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#6 0x49343e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#7 0x4bbc12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#8 0x7f390c9c482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsass/src/sass_context.cpp:81:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
0x0c047fff86b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff86c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff86d0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff86e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff86f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 02 fa
=>0x0c047fff8700: fa fa[03]fa fa fa 00 03 fa fa fd fa fa fa 06 fa
0x0c047fff8710: fa fa 00 03 fa fa fd fa fa fa 00 fa fa fa 00 00
0x0c047fff8720: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 06 fa
0x0c047fff8730: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fa fa
0x0c047fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13==ABORTING
MS: 3 CopyPart-ChangeByte-EraseBytes-; base unit: 4662e92f9aaa70ce2da332d3fc09c7d20a7f5388
0xa,0xf1,
\x0a\xf1
artifact_prefix='./'; Test unit written to ./crash-1715e03e9b724d06393bbbe585848f6ec76509fd
Base64: CvE=

hope reply it as soon as possible,thank you very much!
@mgreter mgreter added the Fuzzy label Mar 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgreter @qweryzh