faust A stack-overflow vulnerability in faust

Hi, developers of faust: In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):

================================================================= ==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1) #0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401 #1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16 #2 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10 #3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9 #4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16 #5 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10 #6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9 #7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16 SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const Thread T1 created by T0 here: #0 0x61127a in pthread_create (/faust/build/bin/faust+0x61127a) #1 0xbaae26 in callFun(void* ()(void), void*) /faust/compiler/global.cpp:2225:5 #2 0xc41570 in createFactory(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, int, char const**, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&, bool) /faust/compiler/libcode.cpp:1321:5 #3 0xc52100 in main /faust/compiler/main.cpp:46:33 #4 0x7f1498d2dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==45152==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/faust/stack-overflow

Validation steps

cmake . -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DINCLUDE_STATIC=on -DINCLUDE_HTTP=off -DINCLUDE_OSC=off make -j ./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@

Environment

Ubuntu 16.04 Clang 10.0.1 gcc 5.5

Jul 07 '23 07:07 mondaylord

This is the DSP source ?

Jul 07 '23 07:07 sletz

I don't quite know if I cloned the DSP source. I just cloned this repository and build with CMAKE.

I think the code attached to this problem is as follows(/faust/compiler/boxes/ppbox.cpp:120:10)

static void streambinopShared(ostream &fout, Tree t1, const char *op, Tree t2, int curPriority, int upPriority)
{

    if (upPriority > curPriority) fout << '(';

    fout << boxppShared(t1, curPriority) << op << boxppShared(t2, curPriority);

    if (upPriority > curPriority) fout << ')';

}

And the contents in the POC is

//�.$s�
process =->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>min~999;

Jul 07 '23 07:07 mondaylord

Which version of the Faust compiler ? I cannot reproduce the problem here with current 2.60.6.

Jul 07 '23 08:07 sletz

The version I tested is commit ee39a19

Jul 07 '23 09:07 mondaylord

OK. They are lot of recursive functions in the compiler and even if we call them in a separated thread with a bigger stack, some of them may cause stack-overflow issue. I don't think we can solve the problem in the general case.

Jul 07 '23 11:07 sletz

If the problematic code is indeed https://github.com/grame-cncm/faust/blob/3b3e13a873db6010ca33f4819b69dc573de209da/compiler/boxes/ppbox.cpp#L110 then that was introduced in 3b3e13a873db6010ca33f4819b69dc573de209da, which looks like it was released in 2.40.0-rc1 and the offending code is still present in https://github.com/grame-cncm/faust/blob/6826bfb5214b075b3af2ae90061f8de040ac4c76/compiler/boxes/ppbox.cpp#L117 which is in the most recent release 2.60.3

Sep 13 '23 10:09 andrewpollock