Bug 1482332
Summary: | There is a stack-overflow in parser.cpp of libsass. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | libsass | Assignee: | Aurelien Bompard <aurelien> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | aurelien | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-17 15:29:54 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
It is duplicated with Bug 1471786, please close this one. *** This bug has been marked as a duplicate of bug 1471786 *** |
Created attachment 1314522 [details] Triggered by "./sassc POC8" Description of problem: There is a stack-overflow in parser.cpp of libsass. Version-Release number of selected component (if applicable): <= the latest version How reproducible: ./sassc $POC Steps to Reproduce: The debugging information is as follows: $ ./sassc POC Segmentation fault ASAN debugging information: $ ./sassc POC ASAN:SIGSEGV ================================================================= ==102693==ERROR: AddressSanitizer: stack-overflow on address 0x7fff6af5ac08 (pc 0x0000004a6f1d bp 0x7fff6af5b470 sp 0x7fff6af5ac10 T0) #0 0x4a6f1c (/home/icy/secreal/sassc-asan/install/bin/sassc+0x4a6f1c) #1 0x7f45522d527d (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46027d) #2 0x7f455229ec19 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x429c19) #3 0x7f45522d3cdc (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x45ecdc) #4 0x7f45522ce835 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x459835) #5 0x7f45522e393a (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46e93a) #6 0x7f45522e1a81 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46ca81) #7 0x7f45522d9611 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x464611) #8 0x7f45522d7e68 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x462e68) #9 0x7f45522d628c (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46128c) #10 0x7f45522d529c (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46029c) .... #251 0x7f45522d7e68 (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x462e68) ==102693==ABORTING GDB debugging information: (gdb) set args POC (gdb) b parser.cpp:66 (gdb) r The program being debugged has been started already. ... Breakpoint 1, Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66 66 pstate.offset.line = 0; (gdb) c 3025 Continuing. Breakpoint 1, Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66 66 pstate.offset.line = 0; (gdb) n r Program received signal SIGSEGV, Segmentation fault. 0x00000000004a6f1d in __asan_memset () (gdb) i b Num Type Disp Enb Address What 1 breakpoint keep y <MULTIPLE> breakpoint already hit 3206 times 1.1 y 0x00007ffff76c389a in Sass::Parser::advanceToNextToken() at parser.cpp:66 1.2 y 0x00007ffff770d81f in Sass::Parser::parse_media_queries() at parser.cpp:66 1.3 y 0x00007ffff77215d7 in Sass::Parser::parse_complex_selector(bool) at parser.cpp:66 1.4 y 0x00007ffff7748276 in Sass::Parser::parse_disjunction() at parser.cpp:66 1.5 y 0x00007ffff7749266 in Sass::Parser::parse_conjunction() at parser.cpp:66 1.6 y 0x00007ffff774ae42 in Sass::Parser::parse_relation() at parser.cpp:66 1.7 y 0x00007ffff774c5ea in Sass::Parser::parse_expression() at parser.cpp:66 1.8 y 0x00007ffff7754a57 in Sass::Parser::parse_operators() at parser.cpp:66 1.9 y 0x00007ffff777c695 in Sass::Parser::parse_media_query() at parser.cpp:66 (gdb) bt #0 0x00000000004a6f1d in __asan_memset () #1 0x00007ffff774827e in Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66 #2 Sass::Parser::parse_disjunction (this=<optimized out>) at parser.cpp:1216 #3 0x00007ffff7711c1a in Sass::Parser::parse_space_list (this=0x7fffffffd930) at parser.cpp:1192 #4 0x00007ffff7746cdd in Sass::Parser::parse_comma_list (this=<optimized out>, delayed=false) at parser.cpp:1162 #5 0x00007ffff7741836 in Sass::Parser::parse_list (this=0x7fffffffd930, delayed=false) at parser.cpp:1147 #6 Sass::Parser::parse_map (this=<optimized out>) at parser.cpp:1058 #7 0x00007ffff775693b in Sass::Parser::parse_factor (this=0x7fffffffd930) at parser.cpp:1389 #8 0x00007ffff7754a82 in Sass::Parser::parse_operators (this=<optimized out>) at parser.cpp:1356 #9 0x00007ffff774c612 in Sass::Parser::parse_expression (this=<optimized out>) at parser.cpp:1316 #10 0x00007ffff774ae69 in Sass::Parser::parse_relation (this=<optimized out>) at parser.cpp:1262 #11 0x00007ffff774928d in Sass::Parser::parse_conjunction (this=<optimized out>) at parser.cpp:1240 #12 0x00007ffff774829d in Sass::Parser::parse_disjunction (this=<optimized out>) at parser.cpp:1219 #13 0x00007ffff7711c1a in Sass::Parser::parse_space_list (this=0x7fffffffd930) at parser.cpp:1192 #14 0x00007ffff7746cdd in Sass::Parser::parse_comma_list (this=<optimized out>, delayed=false) at parser.cpp:1162 ... This vulnerability was triggered in function Parser::advanceToNextToken() at line /libsass/src/parser.cpp:66: 61 void Parser::advanceToNextToken() { 62 lex < css_comments >(false); 63 // advance to position 64 pstate += pstate.offset; 65 pstate.offset.column = 0; 66 pstate.offset.line = 0; 67 } Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.