Bug 1471780 - There is a stack-overflow in the sassc of libsass library.
There is a stack-overflow in the sassc of libsass library.
Status: NEW
Product: Fedora
Classification: Fedora
Component: sassc (Show other bugs)
27
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2017-11554/CVE-2017-11555/CVE-2017-11556/CVE-2017-11605/CVE-2017-11608/CVE-2017-12962/CVE-2017-12963/CVE-2017-12964
  Show dependency treegraph
 
Reported: 2017-07-17 08:29 EDT by owl337
Modified: 2017-08-15 05:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./sassc POC3" (209 bytes, application/x-rar)
2017-07-17 08:29 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-17 08:29:15 EDT
Created attachment 1299840 [details]
Triggered by "./sassc POC3"

Description of problem:

There is a stack-overflow in the sassc of  libsass library.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./sassc POC3

Steps to Reproduce:

$ ./sassc POC3

Segmentation fault

ASAN debugging information:

$ ./sassc POC3
=================================================================
==17056==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd3045ee10 (pc 0x7f92503b9437 bp 0x7ffd3045f180 sp 0x7ffd3045ee00 T0)
    #0 0x7f92503b9436  (/home/icy/libsass/install/lib/libsass.so.1+0x182436)
    #1 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #2 0x7f9250398cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #3 0x7f92503996b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
    #4 0x7f9250399ffa  (/home/icy/libsass/install/lib/libsass.so.1+0x162ffa)
    #5 0x7f92503a0858  (/home/icy/libsass/install/lib/libsass.so.1+0x169858)
    #6 0x7f92503a14ef  (/home/icy/libsass/install/lib/libsass.so.1+0x16a4ef)
    #7 0x7f92503b5a14  (/home/icy/libsass/install/lib/libsass.so.1+0x17ea14)
    #8 0x7f92503b725b  (/home/icy/libsass/install/lib/libsass.so.1+0x18025b)
    #9 0x7f92503b8a19  (/home/icy/libsass/install/lib/libsass.so.1+0x181a19)
    #10 0x7f92503b94f9  (/home/icy/libsass/install/lib/libsass.so.1+0x1824f9)
    #11 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #12 0x7f9250398cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #13 0x7f92503996b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
     ...
     ...
    #251 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)

==17056==ABORTING

GDB debugging information:

(gdb) set args POC3
(gdb) b parser.hpp:150
(gdb) r
The program being debugged has been started already.
...
Breakpoint 1, Sass::Parser::lex<&Sass::Prelexer::block_comment> (force=false, lazy=true, this=0x7fffffffdd30)
    at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) c 9224 
Will ignore next 9223 crossings of breakpoint 2.  Continuing.

Breakpoint 2, Sass::Parser::lex<&Sass::Prelexer::css_comments> (force=false, lazy=false, this=0x7fffffffdd30)
    at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) x/5i $pc
=> 0x7ffff7a8e940 <Sass::Parser::advanceToNextToken()+48>:	mov    %rbp,%rdi
   0x7ffff7a8e943 <Sass::Parser::advanceToNextToken()+51>:	
    callq  0x7ffff79e7830 <_ZN4Sass8Prelexer12css_commentsEPKc@plt>
   0x7ffff7a8e948 <Sass::Parser::advanceToNextToken()+56>:	cmp    0xa0(%rbx),%rax
   0x7ffff7a8e94f <Sass::Parser::advanceToNextToken()+63>:	mov    %rax,%r12
   0x7ffff7a8e952 <Sass::Parser::advanceToNextToken()+66>:	seta   %dl
(gdb) si
0x00007ffff7a8e943	150	      const char* it_after_token = mx(it_before_token);
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a8e943 in Sass::Parser::lex<&Sass::Prelexer::css_comments> (force=false, lazy=false, 
    this=0x7fffffffdd30) at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==4332==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fef98 (pc 0x7ffff7a8e943 bp 0x61c00000fe05 sp 0x7fffff7fefa0 T0)
    #0 0x7ffff7a8e942  (/home/icy/libsass/install/lib/libsass.so.1+0x159942)
    #1 0x7ffff7ab7454  (/home/icy/libsass/install/lib/libsass.so.1+0x182454)
    #2 0x7ffff7a95ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #3 0x7ffff7a96cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #4 0x7ffff7a976b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
    #5 0x7ffff7a97ffa  (/home/icy/libsass/install/lib/libsass.so.1+0x162ffa)
    #6 0x7ffff7a9e858  (/home/icy/libsass/install/lib/libsass.so.1+0x169858)
    #7 0x7ffff7a9f4ef  (/home/icy/libsass/install/lib/libsass.so.1+0x16a4ef)
    #8 0x7ffff7ab3a14  (/home/icy/libsass/install/lib/libsass.so.1+0x17ea14)
    #9 0x7ffff7ab525b  (/home/icy/libsass/install/lib/libsass.so.1+0x18025b)
     ...
     ...
    #251 0x7ffff7ab74f9  (/home/icy/libsass/install/lib/libsass.so.1+0x1824f9)

==4332==ABORTING

This vulnerability was triggered in function char* lex()at line /libsass/src/parser.hpp:150:

134     template <Prelexer::prelexer mx>
135     const char* lex(bool lazy = true, bool force = false)
136     {
137 
138       if (*position == 0) return 0;
139 
140       // position considered before lexed token
141       // we can skip whitespace or comments for
142       // lazy developers (but we need control)
143       const char* it_before_token = position;
144 
145       // sneak up to the actual token we want to lex
146       // this should skip over white-space if desired
147       if (lazy) it_before_token = sneak < mx >(position);
148 
149       // now call matcher to get position after token
150       const char* it_after_token = mx(it_before_token);
151 
152       // check if match is in valid range
153       if (it_after_token > end) return 0;
154 
...
177 
178     }

Actual results:

crash

Expected results:

crash

Additional info:


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Aurelien Bompard 2017-07-18 09:23:43 EDT
Reported upstream as https://github.com/sass/libsass/issues/2445
Comment 2 Jan Kurik 2017-08-15 05:48:16 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Releases/27/HouseKeeping#Rawhide_Rebase

Note You need to log in before you can comment on or make changes to this bug.