Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::Prelexer::exactly (libsass/src/lexer.hpp:93:14) #2656

Closed
glen-mac opened this issue Jun 2, 2018 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow (OOB read) in Sass::Prelexer::exactly (libsass/src/lexer.hpp:93:14) #2656

glen-mac opened this issue Jun 2, 2018 · 1 comment
Labels
Fuzzy

Comments

@glen-mac
Copy link

glen-mac commented Jun 2, 2018
edited
Loading

Hey there, I have discovered an out-of-bands read (OOB) in libsass at: libsass/src/lexer.hpp:93:14

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.3.2 until the commit tested above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report can be found here (symbols names too long to bother showing).

==14124==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cff1 at pc 0x0000006be6c1 bp 0x7fff2a90 0fc0 sp 0x7fff2a900fb8
READ of size 1 at 0x60d00000cff1 thread T0
    #0 0x6be6c0 in char const* Sass::Prelexer::exactly<(char)92>(char const*) /home/glenn/temp/libsass/src/lexer.hpp:93:14
...
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/libsass/src/lexer.hpp:93:14 in char const* Sass::Prelexer::exactly<(char)92>(char const*)
...
xzyfer added a commit to xzyfer/libsass that referenced this issue Jul 4, 2018
@xzyfer
Fix possible out of band read in prelexer
024bb12 
Fixes sass#2656
@xzyfer xzyfer mentioned this issue Jul 4, 2018
Closed
xzyfer added a commit to xzyfer/libsass that referenced this issue Jul 4, 2018
@xzyfer
Fix possible out of band read in prelexer
02428e0 
Fixes sass#2656
@glebm
Copy link
Contributor

glebm commented Nov 25, 2018
edited
Loading

Only the following case still fails: id:000449,sig:06,src:008670+009131,op:splice,rep:8. A memory leak not an OOB though.

glebm added a commit to glebm/libsass that referenced this issue Nov 25, 2018
@glebm
Fix memory leak in parse_ie_keyword_arg
87ff750 
`kwd_arg` would never get freed when there was a parse error in
`parse_ie_keyword_arg`.

Closes sass#2656
glebm added a commit to glebm/libsass that referenced this issue Nov 25, 2018
@glebm
Fix memory leak in parse_ie_keyword_arg
4573dbf 
`kwd_arg` would never get freed when there was a parse error in
`parse_ie_keyword_arg`.

Closes sass#2656
@glebm glebm mentioned this issue Nov 25, 2018
Merged
xzyfer pushed a commit that referenced this issue Nov 25, 2018
@glebm @xzyfer
Fix memory leak in parse_ie_keyword_arg
eb15533 
`kwd_arg` would never get freed when there was a parse error in
`parse_ie_keyword_arg`.

Closes #2656
@glebm glebm added the Fuzzy label Apr 15, 2019
@danielgefen danielgefen mentioned this issue Oct 5, 2019
Closed
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
@Svetlana-github Svetlana-github mentioned this issue May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fuzzy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glebm @glen-mac