Bug 1474019 - Heap-overflow in the sassc of libsass library
Heap-overflow in the sassc of libsass library
Status: NEW
Product: Fedora
Classification: Fedora
Component: sassc (Show other bugs)
27
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2017-11554/CVE-2017-11555/CVE-2017-11556/CVE-2017-11605/CVE-2017-11608/CVE-2017-12962/CVE-2017-12963/CVE-2017-12964
  Show dependency treegraph
 
Reported: 2017-07-23 02:55 EDT by hongphi.pham95
Modified: 2017-08-15 03:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./sassc POC (1.53 KB, text/plain)
2017-07-23 02:55 EDT, hongphi.pham95
no flags Details

  None (edit)
Description hongphi.pham95 2017-07-23 02:55:13 EDT
Created attachment 1303012 [details]
Triggered by "./sassc POC

Description of problem:


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./sassc POC

Steps to Reproduce:
➜  bin git:(master) ./sassc POC
=================================================================
==8339==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4803ea1 at pc 0x0858ca45 bp 0xbfb394b8 sp 0xbfb394ac
READ of size 1 at 0xb4803ea1 thread T0
    #0 0x858ca44  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x858ca44)
    #1 0x8575b9c  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x8575b9c)
    #2 0x8497a36  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x8497a36)
    #3 0x8452fa6  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x8452fa6)
    #4 0x8449a3b  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x8449a3b)
    #5 0x84416d2  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x84416d2)
    #6 0x843d33f  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x843d33f)
    #7 0x8299b41  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x8299b41)
    #8 0x82b3a7b  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x82b3a7b)
    #9 0x824e49f  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x824e49f)
    #10 0x824d36e  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x824d36e)
    #11 0x824d720  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x824d720)
    #12 0x823a6af  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x823a6af)
    #13 0x80cd000  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x80cd000)
    #14 0xb7315636  (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #15 0x816688b  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x816688b)

0xb4803ea1 is located 0 bytes to the right of 1569-byte region [0xb4803880,0xb4803ea1)
allocated by thread T0 here:
    #0 0x820abc4  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x820abc4)
    #1 0x83faea2  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x83faea2)
    #2 0x82b2b2b  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x82b2b2b)
    #3 0x824e49f  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x824e49f)
    #4 0x824d36e  (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x824d36e)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/osboxes/Desktop/origin/libsass/sass/bin/sassc+0x858ca44)
Shadow bytes around the buggy address:
  0x36900780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36900790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369007a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369007b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369007c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x369007d0: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x369007e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369007f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8339==ABORTING


Actual results:
crash

Expected results:
crash

Additional info:
Comment 1 Jan Kurik 2017-08-15 03:31:51 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.