Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: null pointer dereference (SEGV) in Sass::Functions::selector_append (libsass/src/functions.cpp:2088:13) #2663

Closed
glen-mac opened this issue Jun 3, 2018 · 3 comments
Closed

AddressSanitizer: null pointer dereference (SEGV) in Sass::Functions::selector_append (libsass/src/functions.cpp:2088:13) #2663

glen-mac opened this issue Jun 3, 2018 · 3 comments
Labels
Bug - Confirmed Bug - Selectors Fuzzy selector-validation

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018
edited
Loading

Hey there, I have discovered a null pointer dereference in libsass at: functions.cpp:2088:13

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.3.6 until the commit listed above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ ./sassc.bin < crash.file
ASAN:DEADLYSIGNAL
=================================================================
==16225==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x0000005b8758 bp 0x7ffd5ab26780 sp 0x7ffd5ab25b80 T0)
    #0 0x5b8757 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >) /home/glenn/temp/libsass/src/functions.cpp:2088:13
    #1 0x6f6a04 in Sass::Eval::operator()(Sass::Function_Call*) /home/glenn/temp/libsass/src/eval.cpp:1030:18
    #2 0x6dbf8e in Sass::Eval::operator()(Sass::List*) /home/glenn/temp/libsass/src/eval.cpp:503:18
    #3 0x71cc5f in Sass::Expand::operator()(Sass::Assignment*) /home/glenn/temp/libsass/src/expand.cpp:330:29
    #4 0x731326 in Sass::Expand::append_block(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:808:27
    #5 0x7269e4 in Sass::Expand::operator()(Sass::While*) /home/glenn/temp/libsass/src/expand.cpp:572:7
    #6 0x731326 in Sass::Expand::append_block(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:808:27
    #7 0x714f0a in Sass::Expand::operator()(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:81:5
    #8 0x5521f7 in Sass::Context::compile() /home/glenn/temp/libsass/src/context.cpp:659:12
    #9 0x55144c in Sass::Data_Context::parse() /home/glenn/temp/libsass/src/context.cpp:630:12
    #10 0x5200ca in Sass::sass_parse_block(Sass_Compiler*) /home/glenn/temp/libsass/src/sass_context.cpp:238:22
    #11 0x5200ca in sass_compiler_parse /home/glenn/temp/libsass/src/sass_context.cpp:487
    #12 0x51f6d9 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glenn/temp/libsass/src/sass_context.cpp:375:7
    #13 0x51707d in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:138:5
    #14 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #15 0x7f7bf2feb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x4456d8 in _start (/home/glenn/temp/findsass/sassc.bin+0x4456d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/glenn/temp/libsass/src/functions.cpp:2088:13 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >)
==16225==ABORTING
@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018

Thanks for the report.
We confirmed this issue shares a common root cause to other reported issues.
We have assigned the selector-validation to the affected issues.

@VictorRodriguez
Copy link

@xzyfer thanks a lot for the great support, do you have the patch of the common root cause issue?

@glebm
Copy link
Contributor

glebm commented Nov 23, 2018
edited
Loading

There are two separate issues here:

First, the & parent selector shouldn't be allowed in selector-append. Example:

div {
  a: selector-append('.menu', 'li', '&');
}

I've sent a fix for this in #2760.

Second is this issue:

div {
  a: selector-append('.x~~', 'li', 'a')
}

dart-sass output:

Error: Parent ".x ~ ~" is incompatible with this selector.
  a: selector-append('.x~~', 'li', 'a')
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ../../../tmp/test2.scss 2:6  root stylesheet

ruby-sass output:

Error: Invalid parent selector for "&li": ".x ~ ~"
        on line 2 of /home/glebm/tmp/test2.scss
  Use --trace for backtrace.

sassc output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==15981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x0000005e7be1 bp 0x7ffd8aa90810 sp 0x7ffd8aa90740 T0)
==15981==The signal is caused by a READ memory access.
==15981==Hint: address points to the zero page.
    #0 0x5e7be0 in Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >::concat(Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >*) /home/glebm/repos/glebm/libsass/src/ast.hpp:288:61
    #1 0x5e3fc4 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, std::vector<Sass::Backtrace, std::allocator<Sass::Backtrace> >&, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >&) /home/glebm/repos/glebm/libsass/src/fn_selectors.cpp:144:53
    #2 0x6a1c38 in Sass::Eval::operator()(Sass::Function_Call*) /home/glebm/repos/glebm/libsass/src/eval.cpp:1060:18
    #3 0x6c3274 in Sass::Expand::operator()(Sass::Declaration*) /home/glebm/repos/glebm/libsass/src/expand.cpp:250:31
    #4 0x6cea99 in Sass::Expand::append_block(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:802:32
    #5 0x6bfbd9 in Sass::Expand::operator()(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:72:11
    #6 0x6c0b9f in Sass::Expand::operator()(Sass::Ruleset*) /home/glebm/repos/glebm/libsass/src/expand.cpp:144:27
    #7 0x6cea99 in Sass::Expand::append_block(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:802:32
    #8 0x6bfbd9 in Sass::Expand::operator()(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:72:11
    #9 0x5768b6 in Sass::Context::compile() /home/glebm/repos/glebm/libsass/src/context.cpp:678:12
    #10 0x5758b7 in Sass::File_Context::parse() /home/glebm/repos/glebm/libsass/src/context.cpp:605:12
    #11 0x55bc76 in Sass::sass_parse_block(Sass_Compiler*) /home/glebm/repos/glebm/libsass/src/sass_context.cpp:234:31
    #12 0x55b8ba in sass_compiler_parse /home/glebm/repos/glebm/libsass/src/sass_context.cpp:483:22
    #13 0x55b539 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glebm/repos/glebm/libsass/src/sass_context.cpp:371:7
    #14 0x5540f6 in compile_file /home/glebm/repos/glebm/libsass/sassc/sassc.c:158:5
    #15 0x554ab9 in main /home/glebm/repos/glebm/libsass/sassc/sassc.c:370:18
    #16 0x7ffbb3fcbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x45b839 in _start (/home/glebm/repos/glebm/libsass/sassc/bin/sassc+0x45b839)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/glebm/repos/glebm/libsass/src/ast.hpp:288:61 in Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >::concat(Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >*)
==15981==ABORTING

I've sent #2762 for this one but not sure if it's the best solution.

glebm added a commit to glebm/libsass that referenced this issue Nov 24, 2018
@glebm
Disallow parent selectors in selector-append
c758f15 
Now correctly errors on inputs such as this one (see sass#2663):

    div {
      a: selector-append('.menu', 'li', '&');
    }
@glebm glebm mentioned this issue Nov 24, 2018
Merged
glebm added a commit to glebm/libsass that referenced this issue Nov 24, 2018
@glebm
Disallow parent selectors in selector-append
df25b09 
Now correctly errors on inputs such as this one (see sass#2663):

    div {
      a: selector-append('.menu', 'li', '&');
    }
xzyfer pushed a commit that referenced this issue Nov 25, 2018
@glebm @xzyfer
Disallow parent selectors in selector-append (#2760)
c93f058 
Now correctly errors on inputs such as this one instead of crashing (see #2663):

```scss
div {
  a: selector-append('.menu', 'li', '&');
}
```

```
Error: Parent selectors aren't allowed here.
        on line 3:37 of ../../../tmp/test.scss, in function `selector-append`
        from line 3:6 of ../../../tmp/test.scss
>>   e: selector-append('.menu', 'li', '&');

   ------------------------------------^
```
glebm added a commit to glebm/libsass that referenced this issue Nov 25, 2018
@glebm
Fix crash in selector-append('.x~~', 'a')
64f168d 
Fixes sass#2663
@glebm glebm mentioned this issue Nov 25, 2018
Merged
glebm added a commit to glebm/libsass that referenced this issue Nov 25, 2018
@glebm
Fix crash in selector-append('.x~~', 'a')
e5964a7 
Fixes sass#2663
glebm added a commit to glebm/libsass that referenced this issue Nov 26, 2018
@glebm
Fix crash in selector-append('.x~~', 'a')
be8c924 
Fixes sass#2663
xzyfer pushed a commit that referenced this issue Nov 26, 2018
@glebm @xzyfer
Fix crash in selector-append('.x~~', 'a')
280ffd8 
Fixes #2663
@glebm glebm added the Fuzzy label Apr 15, 2019
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
@Svetlana-github Svetlana-github mentioned this issue May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug - Confirmed Bug - Selectors Fuzzy selector-validation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@glebm @VictorRodriguez @xzyfer @glen-mac