Bug 1471786 - There is a stack-overflow in the sassc of libsass library. This vulnerability is triggered in function Parser::advanceToNextToken() .
There is a stack-overflow in the sassc of libsass library. This vulnerabil...
Status: NEW
Product: Fedora
Classification: Fedora
Component: sassc (Show other bugs)
27
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
: Security
: 1482332 (view as bug list)
Depends On:
Blocks: CVE-2017-11554/CVE-2017-11555/CVE-2017-11556/CVE-2017-11605/CVE-2017-11608/CVE-2017-12962/CVE-2017-12963/CVE-2017-12964
  Show dependency treegraph
 
Reported: 2017-07-17 08:38 EDT by owl337
Modified: 2017-08-17 11:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./sassc POC4" (308 bytes, application/x-rar)
2017-07-17 08:38 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-17 08:38:02 EDT
Created attachment 1299843 [details]
Triggered by "./sassc POC4"

Description of problem:

There is a stack-overflow in the sassc  of  libsass library. This vulnerability was triggered in function Parser::advanceToNextToken() at line /libsass/src/parser.cpp:66.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./sassc $POC

Steps to Reproduce:

The debugging information is as follows:

$ ./sassc POC4

Segmentation fault

ASAN debugging information:

$ ./sassc POC4
ASAN:SIGSEGV
=================================================================
==102693==ERROR: AddressSanitizer: stack-overflow on address 0x7fff6af5ac08 (pc 0x0000004a6f1d bp 0x7fff6af5b470 sp 0x7fff6af5ac10 T0)
    #0 0x4a6f1c  (/home/icy/secreal/sassc-asan/install/bin/sassc+0x4a6f1c)
    #1 0x7f45522d527d  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46027d)
    #2 0x7f455229ec19  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x429c19)
    #3 0x7f45522d3cdc  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x45ecdc)
    #4 0x7f45522ce835  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x459835)
    #5 0x7f45522e393a  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46e93a)
    #6 0x7f45522e1a81  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46ca81)
    #7 0x7f45522d9611  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x464611)
    #8 0x7f45522d7e68  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x462e68)
    #9 0x7f45522d628c  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46128c)
    #10 0x7f45522d529c  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x46029c)
    ....
    #251 0x7f45522d7e68  (/home/icy/secreal/libsass-asan/install/lib/libsass.so.1+0x462e68)

==102693==ABORTING


GDB debugging information:

(gdb) set args POC4
(gdb) b parser.cpp:66
(gdb) r
The program being debugged has been started already.
...
Breakpoint 1, Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66
66	      pstate.offset.line = 0;
(gdb) c 3025
Continuing.

Breakpoint 1, Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66
66	      pstate.offset.line = 0;
(gdb) n
r 
Program received signal SIGSEGV, Segmentation fault.
0x00000000004a6f1d in __asan_memset ()
(gdb) i b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   <MULTIPLE>         
	breakpoint already hit 3206 times
1.1                         y     0x00007ffff76c389a in Sass::Parser::advanceToNextToken() at parser.cpp:66
1.2                         y     0x00007ffff770d81f in Sass::Parser::parse_media_queries() at parser.cpp:66
1.3                         y     0x00007ffff77215d7 in Sass::Parser::parse_complex_selector(bool) 
                                                   at parser.cpp:66
1.4                         y     0x00007ffff7748276 in Sass::Parser::parse_disjunction() at parser.cpp:66
1.5                         y     0x00007ffff7749266 in Sass::Parser::parse_conjunction() at parser.cpp:66
1.6                         y     0x00007ffff774ae42 in Sass::Parser::parse_relation() at parser.cpp:66
1.7                         y     0x00007ffff774c5ea in Sass::Parser::parse_expression() at parser.cpp:66
1.8                         y     0x00007ffff7754a57 in Sass::Parser::parse_operators() at parser.cpp:66
1.9                         y     0x00007ffff777c695 in Sass::Parser::parse_media_query() at parser.cpp:66

(gdb) bt 
#0  0x00000000004a6f1d in __asan_memset ()
#1  0x00007ffff774827e in Sass::Parser::advanceToNextToken (this=0x7fffffffd930) at parser.cpp:66
#2  Sass::Parser::parse_disjunction (this=<optimized out>) at parser.cpp:1216
#3  0x00007ffff7711c1a in Sass::Parser::parse_space_list (this=0x7fffffffd930) at parser.cpp:1192
#4  0x00007ffff7746cdd in Sass::Parser::parse_comma_list (this=<optimized out>, delayed=false)
    at parser.cpp:1162
#5  0x00007ffff7741836 in Sass::Parser::parse_list (this=0x7fffffffd930, delayed=false) at parser.cpp:1147
#6  Sass::Parser::parse_map (this=<optimized out>) at parser.cpp:1058
#7  0x00007ffff775693b in Sass::Parser::parse_factor (this=0x7fffffffd930) at parser.cpp:1389
#8  0x00007ffff7754a82 in Sass::Parser::parse_operators (this=<optimized out>) at parser.cpp:1356
#9  0x00007ffff774c612 in Sass::Parser::parse_expression (this=<optimized out>) at parser.cpp:1316
#10 0x00007ffff774ae69 in Sass::Parser::parse_relation (this=<optimized out>) at parser.cpp:1262
#11 0x00007ffff774928d in Sass::Parser::parse_conjunction (this=<optimized out>) at parser.cpp:1240
#12 0x00007ffff774829d in Sass::Parser::parse_disjunction (this=<optimized out>) at parser.cpp:1219
#13 0x00007ffff7711c1a in Sass::Parser::parse_space_list (this=0x7fffffffd930) at parser.cpp:1192
#14 0x00007ffff7746cdd in Sass::Parser::parse_comma_list (this=<optimized out>, delayed=false)
    at parser.cpp:1162
...

This vulnerability was triggered in function Parser::advanceToNextToken() at line /libsass/src/parser.cpp:66:

  61    void Parser::advanceToNextToken() {
  62       lex < css_comments >(false);
  63       // advance to position
  64       pstate += pstate.offset;
  65       pstate.offset.column = 0;
  66       pstate.offset.line = 0;
  67     }


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Aurelien Bompard 2017-07-18 09:24:25 EDT
Reported upstream as https://github.com/sass/libsass/issues/2447
Comment 2 Jan Kurik 2017-08-15 05:15:09 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 3 Aurelien Bompard 2017-08-17 11:29:54 EDT
*** Bug 1482332 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.