Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Numerous crashes in libsass #2094

Closed
brandonprry opened this issue May 23, 2016 · 2 comments
Closed

Numerous crashes in libsass #2094

brandonprry opened this issue May 23, 2016 · 2 comments
Assignees
Milestone

Comments

@brandonprry
Copy link

brandonprry commented May 23, 2016

Attached is a zip file with numerous crashes found while fuzzing sassc/libsass. The zip also contains the address sanitizer stack traces for the corresponding crash file. I minimized as best I could, but their might still be some inputs with the same functional root cause, just with different paths. These were tested with the latest master branch as of 20 minutes ago or so. Let me know if something doesn't make sense or if you can't reproduce.

When compiling with address sanitizer (CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" make all), ensure that libsass is also being compiled with -fsanitize=address or you may not get the same results as I am.

Here is an example of the stack traces in the zip:

# cat ./id:002005,sig:06,sync:fuzzer4,src:007495.asan
=================================================================
==25068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000047f79 at pc 0x00000053d7dc bp 0x7ffdfffbcd30 sp 0x7ffdfffbc4e8
READ of size 78 at 0x626000047f79 thread T0
    #0 0x53d7db in __asan_memcpy (/root/sassc_asan/bin/sassc+0x53d7db)
    #1 0x57c820 in handle_error(Sass_Context*) (/root/sassc_asan/bin/sassc+0x57c820)
    #2 0x575dbe in handle_errors(Sass_Context*) (/root/sassc_asan/bin/sassc+0x575dbe)
    #3 0x5772db in sass_compiler_parse (/root/sassc_asan/bin/sassc+0x5772db)
    #4 0x5767c9 in sass_compile_context(Sass_Context*, Sass::Context*) (/root/sassc_asan/bin/sassc+0x5767c9)
    #5 0x573a03 in compile_stdin (/root/sassc_asan/bin/sassc+0x573a03)
    #6 0x574504 in main (/root/sassc_asan/bin/sassc+0x574504)
    #7 0x7f07f5371a3f in __libc_start_main /build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289
    #8 0x4cd318 in _start (/root/sassc_asan/bin/sassc+0x4cd318)

0x626000047f79 is located 1195 bytes to the right of 10702-byte region [0x626000045100,0x626000047ace)
allocated by thread T0 here:
    #0 0x554625 in realloc (/root/sassc_asan/bin/sassc+0x554625)
    #1 0x57396b in compile_stdin (/root/sassc_asan/bin/sassc+0x57396b)
    #2 0x574504 in main (/root/sassc_asan/bin/sassc+0x574504)
    #3 0x7f07f5371a3f in __libc_start_main /build/glibc-ryFjv0/glibc-2.21/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c4c80000f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80000fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80000fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80000fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80000fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c80000fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4c80000ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80001000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80001010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80001020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80001030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25068==ABORTING

crashes.zip

@xzyfer
Copy link
Contributor

xzyfer commented May 25, 2016

@mgreter mgreter added this to the 3.4 milestone Oct 22, 2016
@mgreter mgreter self-assigned this Oct 22, 2016
@mgreter
Copy link
Contributor

mgreter commented Oct 22, 2016

This will be fixed in upcoming version. For reference, here the test I've run:

git clone https://www.github.com/mgreter/libsass --branch bugfix/source-mappings
git clone https://www.github.com/sass/sass-spec
git clone https://www.github.com/sass/sassc
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" make -C sassc -j8
ruby sass-spec/sass-spec.rb -V 3.4 --impl libsass -c sassc/bin/sassc -s sass-spec/spec

No error were reported after applying #2216

@mgreter mgreter closed this as completed Oct 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants