SEGV in sassc in eval.cpp #3030

c0d3xpl0it · 2019-11-04T15:10:15Z

We found SEGV in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : e1c16e0
Command : sassc POC

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
POC : POC-3.zip

ASAN Output

fuzzer@fuzzer:~/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2-16-ge1c16
sass2scss: 1.1.1
sass: 3.5

fuzzer@fuzzer:~/libsass/sassc/bin$ ./sassc POC
ASAN:DEADLYSIGNAL
=================================================================
==9933==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000a20f5c bp 0x7ffcd21f0970 sp 0x7ffcd21f05e0 T0)
    #0 0xa20f5b in Sass::Eval::operator()(Sass::String_Schema*) /home/fuzzer/libsass/src/eval.cpp:1281:27
    #1 0xa295b8 in Sass::Eval::operator()(Sass::Media_Query*) /home/fuzzer/libsass/src/eval.cpp:1373:47
    #2 0x9cfc6e in Sass::Eval::operator()(Sass::List*) /home/fuzzer/libsass/src/eval.cpp:509:18
    #3 0xa69fc0 in Sass::Expand::operator()(Sass::Import*) /home/fuzzer/libsass/src/expand.cpp:421:27
    #4 0xa98fe0 in Sass::Expand::append_block(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:863:27
    #5 0xa4b7a2 in Sass::Expand::operator()(Sass::Block*) /home/fuzzer/libsass/src/expand.cpp:157:5
    #6 0x5b722b in Sass::Context::compile() /home/fuzzer/libsass/src/context.cpp:650:12
    #7 0x5b1e09 in Sass::File_Context::parse() /home/fuzzer/libsass/src/context.cpp:579:12
    #8 0x55191e in Sass::sass_parse_block(Sass_Compiler*) /home/fuzzer/libsass/src/sass_context.cpp:180:22
    #9 0x55191e in sass_compiler_parse /home/fuzzer/libsass/src/sass_context.cpp:434
    #10 0x550394 in sass_compile_context(Sass_Context*, Sass::Context*) /home/fuzzer/libsass/src/sass_context.cpp:317:7
    #11 0x550a81 in sass_compile_file_context /home/fuzzer/libsass/src/sass_context.cpp:421:12
    #12 0x53f18e in compile_file /home/fuzzer/libsass/sassc/sassc.c:173:5
    #13 0x540244 in main /home/fuzzer/libsass/sassc/sassc.c:387:18
    #14 0x7fd5b685d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x46d198 in _start (/home/fuzzer/libsass/sassc/bin/sassc+0x46d198)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzzer/libsass/src/eval.cpp:1281:27 in Sass::Eval::operator()(Sass::String_Schema*)
==9933==ABORTING

The text was updated successfully, but these errors were encountered:

Fixes sass#3030

sass/libsass#3031 sass/libsass#3030 sass/libsass#3029 sass/libsass#3028

mgreter added a commit to mgreter/libsass that referenced this issue Nov 4, 2019

Fix nullptr access on media query without type

a5226f4

Fixes sass#3030

mgreter self-assigned this Nov 4, 2019

mgreter added Dev - Needs Test Bug - Confirmed labels Nov 4, 2019

mgreter mentioned this issue Nov 4, 2019

Fix various edge case crashes #3032

Merged

mgreter closed this as completed in #3032 Nov 4, 2019

mgreter added a commit to mgreter/libsass-spec that referenced this issue Mar 22, 2020

Add a few todo fuzzy tests

7fbf900

sass/libsass#3031 sass/libsass#3030 sass/libsass#3029 sass/libsass#3028

mgreter added Dev - Test Written and removed Dev - Needs Test labels Mar 22, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SEGV in sassc in eval.cpp #3030

SEGV in sassc in eval.cpp #3030

c0d3xpl0it commented Nov 4, 2019

SEGV in sassc in eval.cpp #3030

SEGV in sassc in eval.cpp #3030

Comments

c0d3xpl0it commented Nov 4, 2019