Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-use-after-free in both libsass 3.5.5 and latest codebase #2782

Closed
zyingp opened this issue Dec 3, 2018 · 3 comments
Closed

AddressSanitizer: heap-use-after-free in both libsass 3.5.5 and latest codebase #2782

zyingp opened this issue Dec 3, 2018 · 3 comments
Labels
Fuzzy

Comments

@zyingp
Copy link

zyingp commented Dec 3, 2018

I found a new heap use-after-free bug with a special sass file. The file causes heap-use-after-free bug in both version 3.5.5 and the latest master branch (accessed on 2018/12/2) codebase, though with slightly different crash stacks. (And is quite different from previous issue #2643 .)

Build libsass/saasc with ASan:
CXX=clang++ CC=clang CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS make -C sassc -j4

Run ./sassc sass_heap_UAF
(sass_heap_UAF is at here: https://github.com/zyingp/temp/blob/master/sass_heap_UAF)

The program crashes.

ASan Crash stack

Crash in the latest code (accessed on 2018/12/2)

==37839==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000010a90 at pc 0x0001087d1d0a bp 0x7ffee7bbbdd0 sp 0x7ffee7bbbdc8
WRITE of size 1 at 0x611000010a90 thread T0
    #0 0x1087d1d09 in Sass::SharedPtr::incRefCount() SharedPtr.hpp:140
    #1 0x1087d1c2a in Sass::SharedPtr::SharedPtr(Sass::SharedObj*) SharedPtr.hpp:90
    #2 0x108075537 in Sass::SharedImpl<Sass::Directive>::SharedImpl<Sass::Directive>(Sass::Directive*) SharedPtr.hpp:155
    #3 0x10806220c in Sass::SharedImpl<Sass::AST_Node>::SharedImpl<Sass::AST_Node>(Sass::AST_Node*) SharedPtr.hpp:155
    #4 0x1085b944b in Sass::Expand::operator()(Sass::Extension*) expand.cpp:666
    #5 0x108069076 in Sass::Extension::perform(Sass::Operation<Sass::Value*>*) ast.hpp:732
    #6 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #7 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #8 0x108595a39 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #9 0x108067123 in Sass::Ruleset::perform(Sass::Operation<Sass::Value*>*) ast.hpp:487
    #10 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #11 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #12 0x1081b0193 in Sass::Context::compile() context.cpp:678
    #13 0x1081ac9bb in Sass::File_Context::parse() context.cpp:605
    #14 0x1087b7400 in Sass::sass_parse_block(Sass_Compiler*) sass_context.cpp:234
    #15 0x1087b6b8a in sass_compiler_parse sass_context.cpp:483
    #16 0x1087b62f9 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #17 0x1087b671d in sass_compile_file_context sass_context.cpp:470
    #18 0x10803e796 in compile_file sassc.c:158
    #19 0x10803f0d6 in main sassc.c:370
    #20 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

0x611000010a90 is located 16 bytes inside of 208-byte region [0x611000010a80,0x611000010b50)
freed by thread T0 here:
    #0 0x108dddd32 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x61d32)
    #1 0x1081577a1 in Sass::Selector_List::~Selector_List() ast_selectors.hpp:513
    #2 0x1087bc023 in Sass::SharedPtr::decRefCount() SharedPtr.hpp:135
    #3 0x1087bbd94 in Sass::SharedPtr::~SharedPtr() SharedPtr.hpp:94
    #4 0x10806f164 in Sass::SharedImpl<Sass::Media_Query_Expression>::~SharedImpl() SharedPtr.hpp:149
    #5 0x1080480c4 in Sass::SharedImpl<Sass::At_Root_Query>::~SharedImpl() SharedPtr.hpp:149
    #6 0x108562861 in Sass::Eval::operator()(Sass::Parent_Reference*) eval.cpp:1615
    #7 0x1080b3de6 in Sass::Parent_Reference::perform(Sass::Operation<Sass::Value*>*) ast_values.hpp:426
    #8 0x108552f6d in Sass::Eval::operator()(Sass::String_Schema*) eval.cpp:1288
    #9 0x1080b1846 in Sass::String_Schema::perform(Sass::Operation<Sass::Value*>*) ast_values.hpp:350
    #10 0x10855d1bf in Sass::Eval::operator()(Sass::Selector_Schema*) eval.cpp:1572
    #11 0x1085b746f in Sass::Expand::operator()(Sass::Extension*) expand.cpp:652
    #12 0x108069076 in Sass::Extension::perform(Sass::Operation<Sass::Value*>*) ast.hpp:732
    #13 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #14 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #15 0x108595a39 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #16 0x108067123 in Sass::Ruleset::perform(Sass::Operation<Sass::Value*>*) ast.hpp:487
    #17 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #18 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #19 0x1081b0193 in Sass::Context::compile() context.cpp:678
    #20 0x1081ac9bb in Sass::File_Context::parse() context.cpp:605
    #21 0x1087b7400 in Sass::sass_parse_block(Sass_Compiler*) sass_context.cpp:234
    #22 0x1087b6b8a in sass_compiler_parse sass_context.cpp:483
    #23 0x1087b62f9 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #24 0x1087b671d in sass_compile_file_context sass_context.cpp:470
    #25 0x10803e796 in compile_file sassc.c:158
    #26 0x10803f0d6 in main sassc.c:370
    #27 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

previously allocated by thread T0 here:
    #0 0x108ddd752 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x61752)
    #1 0x10855a310 in Sass::Eval::operator()(Sass::Selector_List*) eval.cpp:1509
    #2 0x108562378 in Sass::Eval::operator()(Sass::Parent_Reference*) eval.cpp:1617
    #3 0x1080b3de6 in Sass::Parent_Reference::perform(Sass::Operation<Sass::Value*>*) ast_values.hpp:426
    #4 0x108552f6d in Sass::Eval::operator()(Sass::String_Schema*) eval.cpp:1288
    #5 0x1080b1846 in Sass::String_Schema::perform(Sass::Operation<Sass::Value*>*) ast_values.hpp:350
    #6 0x10855d1bf in Sass::Eval::operator()(Sass::Selector_Schema*) eval.cpp:1572
    #7 0x1085b746f in Sass::Expand::operator()(Sass::Extension*) expand.cpp:652
    #8 0x108069076 in Sass::Extension::perform(Sass::Operation<Sass::Value*>*) ast.hpp:732
    #9 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #10 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #11 0x108595a39 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #12 0x108067123 in Sass::Ruleset::perform(Sass::Operation<Sass::Value*>*) ast.hpp:487
    #13 0x10859105c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #14 0x10858f950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #15 0x1081b0193 in Sass::Context::compile() context.cpp:678
    #16 0x1081ac9bb in Sass::File_Context::parse() context.cpp:605
    #17 0x1087b7400 in Sass::sass_parse_block(Sass_Compiler*) sass_context.cpp:234
    #18 0x1087b6b8a in sass_compiler_parse sass_context.cpp:483
    #19 0x1087b62f9 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #20 0x1087b671d in sass_compile_file_context sass_context.cpp:470
    #21 0x10803e796 in compile_file sassc.c:158
    #22 0x10803f0d6 in main sassc.c:370
    #23 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

SUMMARY: AddressSanitizer: heap-use-after-free SharedPtr.hpp:140 in Sass::SharedPtr::incRefCount()
Shadow bytes around the buggy address:
  0x1c2200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2200002110: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x1c2200002120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200002130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002140: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c2200002150: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002160: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c2200002170: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200002180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002190: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c22000021a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37839==ABORTING

Crash in libsass 3.5.5

==37843==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000010a88 at pc 0x00010490fd8c bp 0x7ffeeb77f8c0 sp 0x7ffeeb77f8b8
READ of size 8 at 0x611000010a88 thread T0
    #0 0x10490fd8b in Sass::SharedPtr::SharedPtr(Sass::SharedObj*) SharedPtr.cpp:75
    #1 0x1047b7005 in Sass::Expand::operator()(Sass::Extension*) SharedPtr.hpp:141
    #2 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #3 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #4 0x10479cb96 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #5 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #6 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #7 0x10451ace9 in Sass::Context::compile() context.cpp:670
    #8 0x104518096 in Sass::File_Context::parse() context.cpp:597
    #9 0x1048b92f1 in sass_compiler_parse sass_context.cpp:234
    #10 0x1048b8b29 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #11 0x10447f9a6 in compile_file sassc.c:158
    #12 0x1044802e6 in main sassc.c:370
    #13 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

0x611000010a88 is located 8 bytes inside of 216-byte region [0x611000010a80,0x611000010b58)
freed by thread T0 here:
    #0 0x104bdb292 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x62292)
    #1 0x1047923c7 in Sass::Eval::operator()(Sass::Parent_Selector*) SharedPtr.hpp:172
    #2 0x104785881 in Sass::Eval::operator()(Sass::String_Schema*) eval.cpp:1237
    #3 0x104790832 in Sass::Eval::operator()(Sass::Selector_Schema*) eval.cpp:1582
    #4 0x1047b6a9f in Sass::Expand::operator()(Sass::Extension*) expand.cpp:652
    #5 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #6 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #7 0x10479cb96 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #8 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #9 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #10 0x10451ace9 in Sass::Context::compile() context.cpp:670
    #11 0x104518096 in Sass::File_Context::parse() context.cpp:597
    #12 0x1048b92f1 in sass_compiler_parse sass_context.cpp:234
    #13 0x1048b8b29 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #14 0x10447f9a6 in compile_file sassc.c:158
    #15 0x1044802e6 in main sassc.c:370
    #16 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

previously allocated by thread T0 here:
    #0 0x104bdacb2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x61cb2)
    #1 0x10478e74a in Sass::Eval::operator()(Sass::Selector_List*) eval.cpp:1518
    #2 0x104792096 in Sass::Eval::operator()(Sass::Parent_Selector*) eval.cpp:1616
    #3 0x104785881 in Sass::Eval::operator()(Sass::String_Schema*) eval.cpp:1237
    #4 0x104790832 in Sass::Eval::operator()(Sass::Selector_Schema*) eval.cpp:1582
    #5 0x1047b6a9f in Sass::Expand::operator()(Sass::Extension*) expand.cpp:652
    #6 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #7 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #8 0x10479cb96 in Sass::Expand::operator()(Sass::Ruleset*) expand.cpp:144
    #9 0x10479b0d6 in Sass::Expand::append_block(Sass::Block*) expand.cpp:811
    #10 0x10479a6c8 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #11 0x10451ace9 in Sass::Context::compile() context.cpp:670
    #12 0x104518096 in Sass::File_Context::parse() context.cpp:597
    #13 0x1048b92f1 in sass_compiler_parse sass_context.cpp:234
    #14 0x1048b8b29 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #15 0x10447f9a6 in compile_file sassc.c:158
    #16 0x1044802e6 in main sassc.c:370
    #17 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

SUMMARY: AddressSanitizer: heap-use-after-free SharedPtr.cpp:75 in Sass::SharedPtr::SharedPtr(Sass::SharedObj*)
Shadow bytes around the buggy address:
  0x1c2200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2200002110: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x1c2200002120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200002130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002140: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c2200002150: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002160: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x1c2200002170: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200002180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200002190: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c22000021a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37843==ABORTING
@glebm
Copy link
Contributor

glebm commented Dec 3, 2018

A simple repro:

x {
 @extend #{&};
 @extend #{&};
}

Interestengly, the various versions of Sass can't agree on the right result:

With the example as above, Dart outputs nothing.

Ruby outputs:

Error: "x" failed to @extend "x".
       The selector "x" was not found.

However, if we change this to:

x {
 @extend #{&};
 @extend #{&};
 color: red;
}

Dart:

x {
  color: red;
}

Ruby:

x {
  color: red; }

/cc @nex3

glebm added a commit to glebm/libsass that referenced this issue Dec 3, 2018
@glebm
Fix sass#2782: heap-use-after-free in expand.cpp
1c73ea6 
Selector stack got popped during eval, resulting in `extender` deletion.
@nex3
Copy link
Contributor

nex3 commented Dec 3, 2018
edited
Loading

@glebm Dart Sass is correct here. As of sass/sass#2250, the expected behavior for an @extend that matches a target selector but fails to create a new selector is to raise no error. Ruby Sass is in error here... can you file an issue against it?

I believe x {@extend x} is a sufficient reproduction here.

@zyingp
Copy link
Author

zyingp commented Dec 4, 2018

Assigned CVE-2018-19827

@xzyfer xzyfer mentioned this issue Dec 4, 2018
Merged
@glebm glebm mentioned this issue Dec 4, 2018
Open
glebm added a commit to glebm/libsass that referenced this issue Dec 6, 2018
@glebm
Fix sass#2782: heap-use-after-free in expand.cpp
67a3f4f 
Selector stack got popped during eval, resulting in `extender` deletion.
@xzyfer xzyfer closed this as completed in b21fb9f Dec 6, 2018
@glebm glebm added the Fuzzy label Apr 15, 2019
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
@Svetlana-github Svetlana-github mentioned this issue May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nex3 @glebm @zyingp