Bug 1474276 - There is a heap based buffer overflow in libsass
There is a heap based buffer overflow in libsass
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: sassc (Show other bugs)
27
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2017-11554/CVE-2017-11555/CVE-2017-11556/CVE-2017-11605/CVE-2017-11608/CVE-2017-12962/CVE-2017-12963/CVE-2017-12964
  Show dependency treegraph
 
Reported: 2017-07-24 05:39 EDT by hongphi.pham95
Modified: 2017-08-15 05:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./sassc POC (5 bytes, application/octet-stream)
2017-07-24 05:39 EDT, hongphi.pham95
no flags Details

  None (edit)
Description hongphi.pham95 2017-07-24 05:39:40 EDT
Created attachment 1303540 [details]
Triggered by "./sassc POC

Description of problem:

There is a heap based buffer overflow in libsass

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./sassc POC

Steps to Reproduce:
➜  sumary ../../../../origin/libsass/sassc/bin/sassc POC
=================================================================
==29485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb50007b6 at pc 0x0859139e bp 0xbf99cdd8 sp 0xbf99cdcc
READ of size 1 at 0xb50007b6 thread T0
    #0 0x859139d  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x859139d)
    #1 0x85b7572  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b7572)
    #2 0x85b746e  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b746e)
    #3 0x85b8bd0  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b8bd0)
    #4 0x85b81a2  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b81a2)
    #5 0x85b5f26  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b5f26)
    #6 0x85a1f5e  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85a1f5e)
    #7 0x8485ff4  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8485ff4)
    #8 0x845f606  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x845f606)
    #9 0x8454eb2  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8454eb2)
    #10 0x8450b1f  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8450b1f)
    #11 0x829f371  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x829f371)
    #12 0x82ba1ec  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82ba1ec)
    #13 0x82501e1  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82501e1)
    #14 0x824f0ae  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f0ae)
    #15 0x824f460  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f460)
    #16 0x823ab42  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x823ab42)
    #17 0x823ba7a  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x823ba7a)
    #18 0xb73ab636  (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #19 0x81666cb  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x81666cb)

0xb50007b6 is located 0 bytes to the right of 6-byte region [0xb50007b0,0xb50007b6)
allocated by thread T0 here:
    #0 0x820aa04  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x820aa04)
    #1 0x840e182  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x840e182)
    #2 0x82b8e7b  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82b8e7b)
    #3 0x82501e1  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82501e1)
    #4 0x824f0ae  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f0ae)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x859139d) 
Shadow bytes around the buggy address:
  0x36a000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x36a000d0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa 00 fa
  0x36a000e0: fa fa 04 fa fa fa 00 fa fa fa 04 fa fa fa fd fa
=>0x36a000f0: fa fa 04 fa fa fa[06]fa fa fa 04 fa fa fa fd fa
  0x36a00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a00130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a00140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29485==ABORTING

The GDB debugging information is as follows:
(gdb) b lexer.cpp:150
Breakpoint 1 at 0x8449e4b: file src/lexer.cpp, line 150.
(gdb) r POC
Starting program: /home/osboxes/Desktop/origin/libsass/sassc/bin/sassc POC
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, Sass::Prelexer::re_linebreak (src=0xb59007b5 "") at src/lexer.cpp:151
151	      if (*src == 0 || *src == '\n') return src + 1;
(gdb) n
156	    }
(gdb) 
Sass::Prelexer::alternatives<&Sass::Prelexer::sequence<&Sass::Prelexer::exactly<(char)92>, &Sass::Prelexer::re_linebreak>, &Sass::Prelexer::escape_seq, &Sass::Prelexer::unicode_seq, &Sass::Prelexer::interpolant, &Sass::Prelexer::any_char_but<(char)34> > (src=<optimised out>) at src/lexer.hpp:202
202	      if ((rslt = mx1(src))) return rslt;
(gdb) 
Sass::Prelexer::zero_plus<&Sass::Prelexer::alternatives<&Sass::Prelexer::sequence<&Sass::Prelexer::exactly<(char)92>, &Sass::Prelexer::re_linebreak>, &Sass::Prelexer::escape_seq, &Sass::Prelexer::unicode_seq, &Sass::Prelexer::interpolant, &Sass::Prelexer::any_char_but<(char)34> > > (
    src=<optimised out>) at src/lexer.hpp:236
236	      while (p) src = p, p = mx(src);
(gdb) 
=================================================================
==15322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb59007b6 at pc 0x0859139e bp 0xbfffd1d8 sp 0xbfffd1cc
READ of size 1 at 0xb59007b6 thread T0
    #0 0x859139d  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x859139d)
    #1 0x85b7572  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b7572)
    #2 0x85b746e  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b746e)
    #3 0x85b8bd0  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b8bd0)
    #4 0x85b81a2  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b81a2)
    #5 0x85b5f26  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85b5f26)
    #6 0x85a1f5e  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x85a1f5e)
    #7 0x8485ff4  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8485ff4)
    #8 0x845f606  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x845f606)
    #9 0x8454eb2  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8454eb2)
    #10 0x8450b1f  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x8450b1f)
    #11 0x829f371  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x829f371)
    #12 0x82ba1ec  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82ba1ec)
    #13 0x82501e1  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82501e1)
    #14 0x824f0ae  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f0ae)
    #15 0x824f460  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f460)
    #16 0x823ab42  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x823ab42)
    #17 0x823ba7a  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x823ba7a)
    #18 0xb7c00636  (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #19 0x81666cb  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x81666cb)

0xb59007b6 is located 0 bytes to the right of 6-byte region [0xb59007b0,0xb59007b6)
allocated by thread T0 here:
    #0 0x820aa04  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x820aa04)
    #1 0x840e182  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x840e182)
    #2 0x82b8e7b  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82b8e7b)
    #3 0x82501e1  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x82501e1)
    #4 0x824f0ae  (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x824f0ae)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/osboxes/Desktop/origin/libsass/sassc/bin/sassc+0x859139d) 
Shadow bytes around the buggy address:
  0x36b200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x36b200d0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa 00 fa
  0x36b200e0: fa fa 04 fa fa fa 00 fa fa fa 04 fa fa fa fd fa
=>0x36b200f0: fa fa 04 fa fa fa[06]fa fa fa 04 fa fa fa fd fa
  0x36b20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15322==ABORTING


Actual results:
crash

Expected results:
crash

Additional info:
Comment 1 Aurelien Bompard 2017-08-04 11:25:01 EDT
I updated libsass & sassc to 3.4.5, can you try again with this version? On my computer with the updated sassc I get:

$ sassc POC 
Internal Error: Invalid UTF-8
Comment 2 Jan Kurik 2017-08-15 05:11:08 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.