Heap Buffer Overflow in sassc #3029

c0d3xpl0it · 2019-11-04T15:08:18Z

We found Heap Buffer Overflow in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : e1c16e0
Command : sassc POC

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
POC : POC-2.zip

ASAN Output

fuzzer@fuzzer:~/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2-16-ge1c16
sass2scss: 1.1.1
sass: 3.5

fuzzer@fuzzer:~/libsass/sassc/bin$ ./sassc POC
WARNING on line 1, column 158 of /home/fuzzer/libsass/sassc/bin/out/slave2/crashes/id:000026,sig:06,src:012792,time:51458196,op:havoc,rep:4:
Compound selectors may no longer be extended.
Consider `@extend *, *, *, *, *` instead.
See http://bit.ly/ExtendCompound for details.

=================================================================
==2203==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000077c8 at pc 0x000000e9043e bp 0x7fff175faf10 sp 0x7fff175faf08
READ of size 8 at 0x6020000077c8 thread T0
    #0 0xe9043d in std::vector<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > >, std::allocator<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > > > > Sass::permutateAlt<Sass::SharedImpl<Sass::ComplexSelector> >(std::vector<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > >, std::allocator<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > > > > const&) /home/fuzzer/libsass/src/permutate.hpp:105:11
    #1 0xe85564 in Sass::ComplexSelector::resolve_parent_refs(std::vector<Sass::SharedImpl<Sass::SelectorList>, std::allocator<Sass::SharedImpl<Sass::SelectorList> > >, std::vector<Sass::Backtrace, std::allocator<Sass::Backtrace> >&, bool) /home/fuzzer/libsass/src/ast_selectors.cpp:980:56
    #2 0xa402a7 in Sass::Eval::operator()(Sass::ComplexSelector*) /home/fuzzer/libsass/src/eval_selectors.cpp:50:29
    #3 0xa3e645 in Sass::Eval::operator()(Sass::SelectorList*) /home/fuzzer/libsass/src/eval_selectors.cpp:16:20
    #4 0xa4e1a1 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:201:30
    #5 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #6 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #7 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #8 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #9 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #10 0xa5e86b in Sass::Expand::operator()(Sass::Directive*) /home/fuzzer/libsass/src/expand.cpp:312:22
    #11 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #12 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #13 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #14 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #15 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #16 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #17 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #18 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #19 0x5b722b in Sass::Context::compile() /home/fuzzer/libsass/src/context.cpp:650:12
    #20 0x5b1e09 in Sass::File_Context::parse() /home/fuzzer/libsass/src/context.cpp:579:12
    #21 0x55191e in Sass::sass_parse_block(Sass_Compiler*) /home/fuzzer/libsass/src/sass_context.cpp:180:22
    #22 0x55191e in sass_compiler_parse /home/fuzzer/libsass/src/sass_context.cpp:434
    #23 0x550394 in sass_compile_context(Sass_Context*, Sass::Context*) /home/fuzzer/libsass/src/sass_context.cpp:317:7
    #24 0x550a81 in sass_compile_file_context /home/fuzzer/libsass/src/sass_context.cpp:421:12
    #25 0x53f18e in compile_file /home/fuzzer/libsass/sassc/sassc.c:173:5
    #26 0x540244 in main /home/fuzzer/libsass/sassc/sassc.c:387:18
    #27 0x7ff19277d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x46d198 in _start (/home/fuzzer/libsass/sassc/bin/sassc+0x46d198)

0x6020000077c8 is located 8 bytes to the left of 1-byte region [0x6020000077d0,0x6020000077d1)
allocated by thread T0 here:
    #0 0x50d2c8 in __interceptor_malloc (/home/fuzzer/libsass/sassc/bin/sassc+0x50d2c8)
    #1 0x7ff1931efe77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
    #2 0xe85564 in Sass::ComplexSelector::resolve_parent_refs(std::vector<Sass::SharedImpl<Sass::SelectorList>, std::allocator<Sass::SharedImpl<Sass::SelectorList> > >, std::vector<Sass::Backtrace, std::allocator<Sass::Backtrace> >&, bool) /home/fuzzer/libsass/src/ast_selectors.cpp:980:56
    #3 0xa402a7 in Sass::Eval::operator()(Sass::ComplexSelector*) /home/fuzzer/libsass/src/eval_selectors.cpp:50:29
    #4 0xa3e645 in Sass::Eval::operator()(Sass::SelectorList*) /home/fuzzer/libsass/src/eval_selectors.cpp:16:20
    #5 0xa4e1a1 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:201:30
    #6 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #7 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #8 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #9 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #10 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #11 0xa5e86b in Sass::Expand::operator()(Sass::Directive*) /home/fuzzer/libsass/src/expand.cpp:312:22
    #12 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #13 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #14 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #15 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #16 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #17 0xa4f0e3 in Sass::Expand::operator()(Sass::Ruleset*) /home/fuzzer/libsass/src/expand.cpp:213:27
    #18 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #19 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #20 0x5b722b in Sass::Context::compile() /home/fuzzer/libsass/src/context.cpp:650:12
    #21 0x5b1e09 in Sass::File_Context::parse() /home/fuzzer/libsass/src/context.cpp:579:12
    #22 0x55191e in Sass::sass_parse_block(Sass_Compiler*) /home/fuzzer/libsass/src/sass_context.cpp:180:22
    #23 0x55191e in sass_compiler_parse /home/fuzzer/libsass/src/sass_context.cpp:434
    #24 0x550394 in sass_compile_context(Sass_Context*, Sass::Context*) /home/fuzzer/libsass/src/sass_context.cpp:317:7

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/libsass/src/permutate.hpp:105:11 in std::vector<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > >, std::allocator<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > > > > Sass::permutateAlt<Sass::SharedImpl<Sass::ComplexSelector> >(std::vector<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > >, std::allocator<std::vector<Sass::SharedImpl<Sass::ComplexSelector>, std::allocator<Sass::SharedImpl<Sass::ComplexSelector> > > > > const&)
Shadow bytes around the buggy address:
  0x0c047fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8ef0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa 00 00
  0x0c047fff8f00: fa fa 00 fa fa fa fd fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f10: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff8f20: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fd
  0x0c047fff8f30: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2203==ABORTING
fuzzer@fuzzer:~/libsass/sassc/bin$

The text was updated successfully, but these errors were encountered:

Fixes sass#3028 Fixes sass#3029

sass/libsass#3031 sass/libsass#3030 sass/libsass#3029 sass/libsass#3028

mgreter added a commit to mgreter/libsass that referenced this issue Nov 4, 2019

Fix out of boundary vector access

4c83fdb

Fixes sass#3028 Fixes sass#3029

mgreter self-assigned this Nov 4, 2019

mgreter added Bug - Confirmed Dev - Needs Test labels Nov 4, 2019

mgreter mentioned this issue Nov 4, 2019

Fix various edge case crashes #3032

Merged

mgreter closed this as completed in #3032 Nov 4, 2019

mgreter added a commit to mgreter/libsass-spec that referenced this issue Mar 22, 2020

Add a few todo fuzzy tests

7fbf900

sass/libsass#3031 sass/libsass#3030 sass/libsass#3029 sass/libsass#3028

mgreter added Dev - Test Written and removed Dev - Needs Test labels Mar 22, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Heap Buffer Overflow in sassc #3029

Heap Buffer Overflow in sassc #3029

c0d3xpl0it commented Nov 4, 2019

Heap Buffer Overflow in sassc #3029

Heap Buffer Overflow in sassc #3029

Comments

c0d3xpl0it commented Nov 4, 2019