libsass icon indicating copy to clipboard operation
libsass copied to clipboard

Published 20 hours ago verified publisher icon sass

Read null address in Sass::Inspect::operator()

Open zyingp opened this issue 2 years ago • 0 comments

The is a SEGV error due to reading at 0x0 address in Sass::Inspect::operator(). It happens in both (libsass 3.6.4 + sassc 3.6.1) and (libsass 3.6.5 + sassc 3.6.2) configurations.

POC file: https://github.com/zyingp/temp/blob/master/sass_crash2.scss

Build the code with ASan like : CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" make -C sassc-3.6.1 -j8

In (libsass 3.6.4 + sassc 3.6.1), the output is:

$ ./sassc_asan sass_crash2.scss WARNING on line 14, column 10 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 28, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 36, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL

==22973==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000009e62b0 bp 0x000000000000 sp 0x7fffe72e6090 T0) ==22973==The signal is caused by a READ memory access. ==22973==Hint: address points to the zero page. #0 0x9e62af in Sass::Inspect::operator()(Sass::List*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:466:24 #1 0x9da914 in Sass::Inspect::operator()(Sass::Declaration*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:184:11 #2 0x9ca26a in Sass::Output::operator()(Sass::StyleRule*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/output.cpp:172:14 #3 0x9d3c10 in Sass::Inspect::operator()(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:35:20 #4 0x59a80b in Sass::Block::perform(Sass::Operation) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/ast.hpp:510:5 #5 0x59a80b in Sass::Context::render(Sass::SharedImplSass::Block) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/context.cpp:498 #6 0x56989f in sass_compiler_execute /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:454:53 #7 0x567ff2 in sass_compile_context(Sass_Context, Sass::Context*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:319:7 #8 0x5682da in sass_compile_file_context /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:422:12 #9 0x55f520 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:158:5 #10 0x560afe in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:370:18 #11 0x7faae9491b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x466519 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sassc_asan+0x466519)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:466:24 in Sass::Inspect::operator()(Sass::List*) ==22973==ABORTING

In (libsass 3.6.5 + sassc 3.6.2) , the output is:

$ ./sassc ../../sass_crash2.scss WARNING on line 14, column 10 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 28, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 36, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss: In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL

==22961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000063dd44 bp 0x000000000000 sp 0x7fffd3a8f540 T0) ==22961==The signal is caused by a READ memory access. ==22961==Hint: address points to the zero page. #0 0x63dd43 in Sass::Inspect::operator()(Sass::List*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63dd43) #1 0x63bc1d in Sass::Inspect::operator()(Sass::Declaration*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63bc1d) #2 0x6389cc in Sass::Output::operator()(Sass::StyleRule*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x6389cc) #3 0x63a9e1 in Sass::Inspect::operator()(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63a9e1) #4 0x53ebba in Sass::Context::render(Sass::SharedImplSass::Block) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x53ebba) #5 0x52f24f in sass_compiler_execute (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52f24f) #6 0x52eb4e in sass_compile_context(Sass_Context*, Sass::Context*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52eb4e) #7 0x52b4a6 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:173:5 #8 0x52bdf8 in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:387:18 #9 0x7ff668091b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #10 0x432be9 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x432be9)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63dd43) in Sass::Inspect::operator()(Sass::List*) ==22961==ABORTING

Found by Fuzzing.

zyingp avatar Oct 30 '21 06:10 zyingp