Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in lexer.hpp #3045

Closed
skyvast404 opened this issue Dec 4, 2019 · 1 comment
Closed

Heap-buffer-overflow in lexer.hpp #3045

skyvast404 opened this issue Dec 4, 2019 · 1 comment
Labels
Invalid - Not Reproducible

Comments

@skyvast404
Copy link

skyvast404 commented Dec 4, 2019
edited
Loading

I found Stack Overflow in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version : 5.4.0 20160609(Ubuntu 5.4.0-6ubuntu1~16.04.11)
Command : sassc poc

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
POC : poc.txt

ASAN Output:

==465==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000114 at pc 0x00000081db7b bp 0x7ffe64dc8c80 sp 0x7ffe64dc8c78
READ of size 1 at 0x602000000114 thread T0
    #0 0x81db7a in exactly<'\\'> /src/libsass/src/lexer.hpp:82:14
    #1 0x81db7a in sequence<&Sass::Prelexer::exactly, &Sass::Prelexer::re_linebreak> /src/libsass/src/lexer.hpp:216:20
    #2 0x81db7a in alternatives<&Sass::Prelexer::sequence, &Sass::Prelexer::escape_seq, &Sass::Prelexer::unicode_seq, &Sass::Prelexer::interpolant, &Sass::Prelexer::any_char_but> /src/libsass/src/lexer.hpp:200:19
    #3 0x81db7a in zero_plus<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:234:30
    #4 0x81db7a in sequence<&Sass::Prelexer::zero_plus, &Sass::Prelexer::exactly> /src/libsass/src/lexer.hpp:216:20
    #5 0x81db7a in sequence<&Sass::Prelexer::exactly, &Sass::Prelexer::zero_plus, &Sass::Prelexer::exactly> /src/libsass/src/lexer.hpp:217:14
    #6 0x81db7a in single_quoted_string /src/libsass/src/prelexer.cpp:516:14
    #7 0x81db7a in alternatives<&Sass::Prelexer::single_quoted_string, &Sass::Prelexer::double_quoted_string> /src/libsass/src/lexer.hpp:200:19
    #8 0x81db7a in Sass::Prelexer::quoted_string(char const*) /src/libsass/src/prelexer.cpp:564:14
    #9 0x8359ac in char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*) /src/libsass/src/lexer.hpp:200:19
    #10 0x8358ea in alternatives<&Sass::Prelexer::exactly, &Sass::Prelexer::quoted_string, &Sass::Prelexer::interpolant, &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &Sass::Prelexer::percentage, &Sass::Prelexer::binomial, &Sass::Prelexer::dimension, &Sass::Prelexer::alnum> /src/libsass/src/lexer.hpp:201:14
    #11 0x8358ea in alternatives<&Sass::Prelexer::kwd_optional, &Sass::Prelexer::exactly, &Sass::Prelexer::quoted_string, &Sass::Prelexer::interpolant, &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &Sass::Prelexer::percentage, &Sass::Prelexer::binomial, &Sass::Prelexer::dimension, &Sass::Prelexer::alnum> /src/libsass/src/lexer.hpp:201:14
    #12 0x8358ea in sequence<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:210:20
    #13 0x8358ea in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)45>(char const*)), &(Sass::Prelexer::optional_spaces(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::kwd_optional(char const*)), &(char const* Sass::Prelexer::exactly<(char)42>(char const*)), &(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*))>(char const*) /src/libsass/src/lexer.hpp:217:14
    #14 0x83550d in one_plus<&Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:242:23
    #15 0x83550d in sequence<&Sass::Prelexer::one_plus, &Sass::Prelexer::zero_plus> /src/libsass/src/lexer.hpp:216:20
    #16 0x83550d in sequence<&Sass::Prelexer::alternatives, &Sass::Prelexer::one_plus, &Sass::Prelexer::zero_plus> /src/libsass/src/lexer.hpp:217:14
    #17 0x83550d in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::optional<&(Sass::Prelexer::namespace_schema(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)35>(char const*)), &(char const* Sass::Prelexer::negate<&(char const* Sass::Prelexer::exactly<(char)123>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::exactly<(char)46>(char const*)), &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::optional<&(Sass::Prelexer::pseudo_prefix(char const*))>(char const*)), &(char const* Sass::Prelexer::negate<&(Sass::Prelexer::uri_prefix(char const*))>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::one_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)45>(char const*)), &(Sass::Prelexer::optional_spaces(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::kwd_optional(char const*)), &(char const* Sass::Prelexer::exactly<(char)42>(char const*)), &(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::exactly<(char)45>(char const*))>(char const*))>(char const*) /src/libsass/src/lexer.hpp:217:14
    #18 0x82b9ee in alternatives<&Sass::Prelexer::block_comment, &Sass::Prelexer::line_comment, &Sass::Prelexer::schema_reference_combinator, &Sass::Prelexer::class_char, &Sass::Prelexer::class_char, &Sass::Prelexer::sequence, &Sass::Prelexer::alternatives, &Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:201:14
    #19 0x82b9ee in alternatives<&Sass::Prelexer::spaces, &Sass::Prelexer::block_comment, &Sass::Prelexer::line_comment, &Sass::Prelexer::schema_reference_combinator, &Sass::Prelexer::class_char, &Sass::Prelexer::class_char, &Sass::Prelexer::sequence, &Sass::Prelexer::alternatives, &Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:201:14
    #20 0x82b9ee in one_plus<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:242:23
    #21 0x82b9ee in alternatives<&Sass::Prelexer::one_plus> /src/libsass/src/lexer.hpp:194:19
    #22 0x82b9ee in alternatives<&Sass::Prelexer::sequence, &Sass::Prelexer::one_plus> /src/libsass/src/lexer.hpp:201:14
    #23 0x82b9ee in Sass::Prelexer::re_selector_list(char const*) /src/libsass/src/prelexer.cpp:1643:14
    #24 0x71e885 in peek<&Sass::Prelexer::re_selector_list> /src/libsass/src/parser.hpp:140:27
    #25 0x71e885 in Sass::Parser::lookahead_for_selector(char const*) /src/libsass/src/parser.cpp:2630:7
    #26 0x6f4e0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:274:28
    #27 0x6ec35d in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:189:11
    #28 0x6e856b in Sass::Parser::parse() /src/libsass/src/parser.cpp:115:5
    #29 0x5a2968 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:306:24
    #30 0x5b5654 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:620:5
    #31 0x582635 in sass_parse_block /src/libsass/src/sass_context.cpp:180:31
    #32 0x582635 in sass_compiler_parse /src/libsass/src/sass_context.cpp:434:22
    #33 0x581b08 in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:317:7
    #34 0x57f786 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
    #35 0x485391 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #36 0x46feb1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #37 0x475b6e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #38 0x49fa92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #39 0x7faf70aef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #40 0x449328 in _start (/out/data_context_fuzzer+0x449328)

0x602000000114 is located 0 bytes to the right of 4-byte region [0x602000000110,0x602000000114)
allocated by thread T0 here:
    #0 0x54cf2d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x57f700 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:4:29
    #2 0x485391 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #3 0x46feb1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #4 0x475b6e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #5 0x49fa92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #6 0x7faf70aef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsass/src/lexer.hpp:82:14 in exactly<'\\'>
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 fa
  0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 03 fa fa fa 03 fa
=>0x0c047fff8020: fa fa[04]fa fa fa 00 03 fa fa fd fa fa fa 06 fa
  0x0c047fff8030: fa fa 00 03 fa fa fd fa fa fa 00 fa fa fa 00 00
  0x0c047fff8040: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 06 fa
  0x0c047fff8050: fa fa 00 00 fa fa 04 fa fa fa fd fa fa fa 00 00
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==465==ABORTING
@skyvast404 skyvast404 reopened this Dec 4, 2019
@mgreter
Copy link
Contributor

mgreter commented May 1, 2020

This seems already fixed with libsass 3.6.3.
I also download the file and tested it locally.

@mgreter mgreter closed this as completed May 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Invalid - Not Reproducible
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgreter @skyvast404