You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Attached is a zip file with numerous crashes found while fuzzing sassc/libsass. The zip also contains the address sanitizer stack traces for the corresponding crash file. I minimized as best I could, but their might still be some inputs with the same functional root cause, just with different paths. These were tested with the latest master branch as of 20 minutes ago or so. Let me know if something doesn't make sense or if you can't reproduce.
When compiling with address sanitizer (CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" make all), ensure that libsass is also being compiled with -fsanitize=address or you may not get the same results as I am.
Here is an example of the stack traces in the zip:
# cat ./id:002005,sig:06,sync:fuzzer4,src:007495.asan
=================================================================
==25068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000047f79 at pc 0x00000053d7dc bp 0x7ffdfffbcd30 sp 0x7ffdfffbc4e8
READ of size 78 at 0x626000047f79 thread T0
#0 0x53d7db in __asan_memcpy (/root/sassc_asan/bin/sassc+0x53d7db)
#1 0x57c820 in handle_error(Sass_Context*) (/root/sassc_asan/bin/sassc+0x57c820)
#2 0x575dbe in handle_errors(Sass_Context*) (/root/sassc_asan/bin/sassc+0x575dbe)
#3 0x5772db in sass_compiler_parse (/root/sassc_asan/bin/sassc+0x5772db)
#4 0x5767c9 in sass_compile_context(Sass_Context*, Sass::Context*) (/root/sassc_asan/bin/sassc+0x5767c9)
#5 0x573a03 in compile_stdin (/root/sassc_asan/bin/sassc+0x573a03)
#6 0x574504 in main (/root/sassc_asan/bin/sassc+0x574504)
#7 0x7f07f5371a3f in __libc_start_main /build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289
#8 0x4cd318 in _start (/root/sassc_asan/bin/sassc+0x4cd318)
0x626000047f79 is located 1195 bytes to the right of 10702-byte region [0x626000045100,0x626000047ace)
allocated by thread T0 here:
#0 0x554625 in realloc (/root/sassc_asan/bin/sassc+0x554625)
#1 0x57396b in compile_stdin (/root/sassc_asan/bin/sassc+0x57396b)
#2 0x574504 in main (/root/sassc_asan/bin/sassc+0x574504)
#3 0x7f07f5371a3f in __libc_start_main /build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c4c80000f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80000fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80000fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80000fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80000fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c80000fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4c80000ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80001000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80001010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c80001020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4c80001030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25068==ABORTING
Attached is a zip file with numerous crashes found while fuzzing sassc/libsass. The zip also contains the address sanitizer stack traces for the corresponding crash file. I minimized as best I could, but their might still be some inputs with the same functional root cause, just with different paths. These were tested with the latest master branch as of 20 minutes ago or so. Let me know if something doesn't make sense or if you can't reproduce.
When compiling with address sanitizer (
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" make all
), ensure that libsass is also being compiled with -fsanitize=address or you may not get the same results as I am.Here is an example of the stack traces in the zip:
crashes.zip
The text was updated successfully, but these errors were encountered: