Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Overflow in sassc #3000

Open
c0d3xpl0it opened this issue Oct 7, 2019 · 4 comments
Open

Stack Overflow in sassc #3000

c0d3xpl0it opened this issue Oct 7, 2019 · 4 comments

Comments

@c0d3xpl0it
Copy link

We found Stack Overflow in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 4da7c4b
Command : sassc POC

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
POC : POC.scss.zip

ASAN Output

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2
sass2scss: 1.1.1
sass: 3.5
fuzzer@fuzzer:~/victim/libsass/sassc/bin$

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc in/POC.scss
ASAN:DEADLYSIGNAL
=================================================================
==23322==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfae50e58 (pc 0x00000049382c bp 0x7ffdfae516b0 sp 0x7ffdfae50e30 T0)
    #0 0x49382b in __interceptor_strcmp.part.24 (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b)
    #1 0x9d6aed in std::type_info::operator==(std::type_info const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/typeinfo:124:5
    #2 0x9d6aed in Sass::Variable* Sass::Cast<Sass::Variable>(Sass::AST_Node*) /home/fuzzer/victim/libsass/src/ast.hpp:114
    #3 0x9d6aed in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:570
    #4 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #5 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #6 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #7 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #8 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

// SNIPPED //

    #252 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #253 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

SUMMARY: AddressSanitizer: stack-overflow (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b) in __interceptor_strcmp.part.24
==23322==ABORTING
fuzzer@fuzzer:~/victim/libsass/sassc/bin$
@mgreter mgreter added the Fuzzy label Nov 3, 2019
@nluedtke
Copy link

Being tracked as CVE-2019-18797.

@mgreter
Copy link
Contributor

mgreter commented May 1, 2020

This works ok for me, what stack size did you give sassc?

Error: Stack depth exceeded max of 1024
        on line 1:23494 of test.scss

I'll keep it open as I haven't fully tested it under ASAN.
But it sure seems your stack size is simply to small.

@NicoleG25
Copy link

@mgreter was this issue ever addressed?
I see above that you said it's not reproducible but yet there is still a CVE active on this issue.
Are you considering disputing it ?
Thanks in advance !

@mgreter
Copy link
Contributor

mgreter commented May 29, 2020

Hey @NicoleG25 , no we don't really currently address stack overflows, since with a decent OS this will result in a crash. If you can tell me how to avoid this with a recursive parser on all any env, I'm all ears. This is similar to when you feed a too big source file to GCC/Clang or any other compiler. LibSass is not different in that regard and dependent on how much stack space you give it during compilation. We might improve this on certain OS, eg. by catching Structured Execption on windows or setting rlimit, or SIGSEGV on linux. But we will never be completely save on all systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants