Stack Overflow in sassc

[c0d3xpl0it]

We found Stack Overflow in sassc binary and sassc is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 4da7c4b
Command : sassc POC

Complilation : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4 POC : POC.scss.zip

ASAN Output

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2
sass2scss: 1.1.1
sass: 3.5
fuzzer@fuzzer:~/victim/libsass/sassc/bin$

fuzzer@fuzzer:~/victim/libsass/sassc/bin$ ./sassc in/POC.scss
ASAN:DEADLYSIGNAL
=================================================================
==23322==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfae50e58 (pc 0x00000049382c bp 0x7ffdfae516b0 sp 0x7ffdfae50e30 T0)
    #0 0x49382b in __interceptor_strcmp.part.24 (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b)
    #1 0x9d6aed in std::type_info::operator==(std::type_info const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/typeinfo:124:5
    #2 0x9d6aed in Sass::Variable* Sass::Cast<Sass::Variable>(Sass::AST_Node*) /home/fuzzer/victim/libsass/src/ast.hpp:114
    #3 0x9d6aed in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:570
    #4 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #5 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #6 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #7 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #8 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

// SNIPPED //

    #252 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #253 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

SUMMARY: AddressSanitizer: stack-overflow (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b) in __interceptor_strcmp.part.24
==23322==ABORTING
fuzzer@fuzzer:~/victim/libsass/sassc/bin$

[nluedtke]

Being tracked as CVE-2019-18797.

[mgreter]

This works ok for me, what stack size did you give sassc?

Error: Stack depth exceeded max of 1024
        on line 1:23494 of test.scss

I'll keep it open as I haven't fully tested it under ASAN. But it sure seems your stack size is simply to small.

[NicoleG25]

@mgreter was this issue ever addressed? I see above that you said it's not reproducible but yet there is still a CVE active on this issue. Are you considering disputing it ? Thanks in advance !

[mgreter]

Hey @NicoleG25 , no we don't really currently address stack overflows, since with a decent OS this will result in a crash. If you can tell me how to avoid this with a recursive parser on all any env, I'm all ears. This is similar to when you feed a too big source file to GCC/Clang or any other compiler. LibSass is not different in that regard and dependent on how much stack space you give it during compilation. We might improve this on certain OS, eg. by catching Structured Execption on windows or setting rlimit, or SIGSEGV on linux. But we will never be completely save on all systems.