Bug 1471780 - There is a stack-overflow in the sassc of libsass library.
Summary: There is a stack-overflow in the sassc of libsass library.
Alias: None
Product: Fedora
Classification: Fedora
Component: sassc
Version: 27
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Aurelien Bompard
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: CVE-2017-11554, CVE-2017-11555, CVE-2017-11556, CVE-2017-11605, CVE-2017-11608, CVE-2017-12962, CVE-2017-12963, CVE-2017-12964
TreeView+ depends on / blocked
Reported: 2017-07-17 12:29 UTC by owl337
Modified: 2018-11-30 17:53 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2018-11-30 17:53:16 UTC

Attachments (Terms of Use)
Triggered by "./sassc POC3" (209 bytes, application/x-rar)
2017-07-17 12:29 UTC, owl337
no flags Details

Description owl337 2017-07-17 12:29:15 UTC
Created attachment 1299840 [details]
Triggered by "./sassc POC3"

Description of problem:

There is a stack-overflow in the sassc of  libsass library.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./sassc POC3

Steps to Reproduce:

$ ./sassc POC3

Segmentation fault

ASAN debugging information:

$ ./sassc POC3
==17056==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd3045ee10 (pc 0x7f92503b9437 bp 0x7ffd3045f180 sp 0x7ffd3045ee00 T0)
    #0 0x7f92503b9436  (/home/icy/libsass/install/lib/libsass.so.1+0x182436)
    #1 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #2 0x7f9250398cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #3 0x7f92503996b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
    #4 0x7f9250399ffa  (/home/icy/libsass/install/lib/libsass.so.1+0x162ffa)
    #5 0x7f92503a0858  (/home/icy/libsass/install/lib/libsass.so.1+0x169858)
    #6 0x7f92503a14ef  (/home/icy/libsass/install/lib/libsass.so.1+0x16a4ef)
    #7 0x7f92503b5a14  (/home/icy/libsass/install/lib/libsass.so.1+0x17ea14)
    #8 0x7f92503b725b  (/home/icy/libsass/install/lib/libsass.so.1+0x18025b)
    #9 0x7f92503b8a19  (/home/icy/libsass/install/lib/libsass.so.1+0x181a19)
    #10 0x7f92503b94f9  (/home/icy/libsass/install/lib/libsass.so.1+0x1824f9)
    #11 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #12 0x7f9250398cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #13 0x7f92503996b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
    #251 0x7f9250397ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)


GDB debugging information:

(gdb) set args POC3
(gdb) b parser.hpp:150
(gdb) r
The program being debugged has been started already.
Breakpoint 1, Sass::Parser::lex<&Sass::Prelexer::block_comment> (force=false, lazy=true, this=0x7fffffffdd30)
    at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) c 9224 
Will ignore next 9223 crossings of breakpoint 2.  Continuing.

Breakpoint 2, Sass::Parser::lex<&Sass::Prelexer::css_comments> (force=false, lazy=false, this=0x7fffffffdd30)
    at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) x/5i $pc
=> 0x7ffff7a8e940 <Sass::Parser::advanceToNextToken()+48>:	mov    %rbp,%rdi
   0x7ffff7a8e943 <Sass::Parser::advanceToNextToken()+51>:	
    callq  0x7ffff79e7830 <_ZN4Sass8Prelexer12css_commentsEPKc@plt>
   0x7ffff7a8e948 <Sass::Parser::advanceToNextToken()+56>:	cmp    0xa0(%rbx),%rax
   0x7ffff7a8e94f <Sass::Parser::advanceToNextToken()+63>:	mov    %rax,%r12
   0x7ffff7a8e952 <Sass::Parser::advanceToNextToken()+66>:	seta   %dl
(gdb) si
0x00007ffff7a8e943	150	      const char* it_after_token = mx(it_before_token);
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a8e943 in Sass::Parser::lex<&Sass::Prelexer::css_comments> (force=false, lazy=false, 
    this=0x7fffffffdd30) at parser.hpp:150
150	      const char* it_after_token = mx(it_before_token);
(gdb) c
==4332==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fef98 (pc 0x7ffff7a8e943 bp 0x61c00000fe05 sp 0x7fffff7fefa0 T0)
    #0 0x7ffff7a8e942  (/home/icy/libsass/install/lib/libsass.so.1+0x159942)
    #1 0x7ffff7ab7454  (/home/icy/libsass/install/lib/libsass.so.1+0x182454)
    #2 0x7ffff7a95ac9  (/home/icy/libsass/install/lib/libsass.so.1+0x160ac9)
    #3 0x7ffff7a96cd9  (/home/icy/libsass/install/lib/libsass.so.1+0x161cd9)
    #4 0x7ffff7a976b9  (/home/icy/libsass/install/lib/libsass.so.1+0x1626b9)
    #5 0x7ffff7a97ffa  (/home/icy/libsass/install/lib/libsass.so.1+0x162ffa)
    #6 0x7ffff7a9e858  (/home/icy/libsass/install/lib/libsass.so.1+0x169858)
    #7 0x7ffff7a9f4ef  (/home/icy/libsass/install/lib/libsass.so.1+0x16a4ef)
    #8 0x7ffff7ab3a14  (/home/icy/libsass/install/lib/libsass.so.1+0x17ea14)
    #9 0x7ffff7ab525b  (/home/icy/libsass/install/lib/libsass.so.1+0x18025b)
    #251 0x7ffff7ab74f9  (/home/icy/libsass/install/lib/libsass.so.1+0x1824f9)


This vulnerability was triggered in function char* lex()at line /libsass/src/parser.hpp:150:

134     template <Prelexer::prelexer mx>
135     const char* lex(bool lazy = true, bool force = false)
136     {
138       if (*position == 0) return 0;
140       // position considered before lexed token
141       // we can skip whitespace or comments for
142       // lazy developers (but we need control)
143       const char* it_before_token = position;
145       // sneak up to the actual token we want to lex
146       // this should skip over white-space if desired
147       if (lazy) it_before_token = sneak < mx >(position);
149       // now call matcher to get position after token
150       const char* it_after_token = mx(it_before_token);
152       // check if match is in valid range
153       if (it_after_token > end) return 0;
178     }

Actual results:


Expected results:


Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Aurelien Bompard 2017-07-18 13:23:43 UTC
Reported upstream as https://github.com/sass/libsass/issues/2445

Comment 2 Jan Kurik 2017-08-15 09:48:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

More information and reason for this action is here:

Comment 3 Ben Cotton 2018-11-27 18:28:28 UTC
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Ben Cotton 2018-11-30 17:53:16 UTC
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.