CVE-2019-6284: AddressSanitizer: heap-buffer-overflow · Issue #2816 · sass/libsass — Coverage (2024)

A heap-buffer-overflow in prelexer.hpp:69:14 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*)

Compile and reproduce:
CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4

ldd:

$ ldd sassc linux-vdso.so.1 => (0x00007fffc6365000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f731150d000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7311204000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f7310e82000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7310c65000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f7310a5d000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f7310847000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f731047d000) /lib64/ld-linux-x86-64.so.2 (0x00007f7311711000)

System information:
Linux ubuntu64 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Version: libsass-3.5.5、sassc-3.4.8

Poc: crash147.zip

Run: cat crash147 | ./sassc

ASAN:

===================================================================3354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000006a at pc 0x0000009591ef bp 0x7ffe65ea3260 sp 0x7ffe65ea3258READ of size 1 at 0x60700000006a thread T0 #0 0x9591ee in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/prelexer.hpp:69:14 #1 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212:14 #2 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212 #3 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212 #4 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212:14 #5 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::identifier_schema, &Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212 #6 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::variable, &Sass::Prelexer::identifier_schema, &Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212 #7 0x946c2c in Sass::Prelexer::ie_keyword_arg_value(char const*) /home/eack/libsass/src/prelexer.cpp:1321 #8 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:221:20 #9 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228 #10 0x946dee in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228 #11 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::optional_css_whitespace, &(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228 #12 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::ie_keyword_arg_property, &Sass::Prelexer::optional_css_whitespace, &(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228 #13 0x946dee in Sass::Prelexer::ie_keyword_arg(char const*) /home/eack/libsass/src/prelexer.cpp:1340 #14 0x899ce2 in char const* Sass::Parser::peek<&Sass::Prelexer::ie_keyword_arg>(char const*) /home/eack/libsass/src/parser.hpp:136:27 #15 0x899ce2 in Sass::Parser::parse_factor() /home/eack/libsass/src/parser.cpp:1470 #16 0x891636 in Sass::Parser::parse_operators() /home/eack/libsass/src/parser.cpp:1416:29 #17 0x886677 in Sass::Parser::parse_expression() /home/eack/libsass/src/parser.cpp:1375:26 #18 0x88272c in Sass::Parser::parse_relation() /home/eack/libsass/src/parser.cpp:1320:26 #19 0x87f37e in Sass::Parser::parse_conjunction() /home/eack/libsass/src/parser.cpp:1297:26 #20 0x87d34e in Sass::Parser::parse_disjunction() /home/eack/libsass/src/parser.cpp:1275:27 #21 0x83bc1b in Sass::Parser::parse_space_list() /home/eack/libsass/src/parser.cpp:1247:28 #22 0x87ae39 in Sass::Parser::parse_comma_list(bool) /home/eack/libsass/src/parser.cpp:1216:27 #23 0x835b3e in Sass::Parser::parse_list(bool) /home/eack/libsass/src/parser.cpp:1200:12 #24 0x830d9b in Sass::Parser::parse_declaration() /home/eack/libsass/src/parser.cpp:1074:17 #25 0x7fa3d2 in Sass::Parser::parse_block_node(bool) /home/eack/libsass/src/parser.cpp:309:30 #26 0x7eee86 in Sass::Parser::parse_block_nodes(bool) /home/eack/libsass/src/parser.cpp:197:11 #27 0x7f379f in Sass::Parser::parse_css_block(bool) /home/eack/libsass/src/parser.cpp:154:10 #28 0x81ce00 in Sass::Parser::parse_block(bool) /home/eack/libsass/src/parser.cpp:178:12 #29 0x81ce00 in Sass::Parser::parse_ruleset(Lookahead) /home/eack/libsass/src/parser.cpp:538 #30 0x7f8c3b in Sass::Parser::parse_block_node(bool) /home/eack/libsass/src/parser.cpp:279:21 #31 0x7eee86 in Sass::Parser::parse_block_nodes(bool) /home/eack/libsass/src/parser.cpp:197:11 #32 0x7ea18f in Sass::Parser::parse() /home/eack/libsass/src/parser.cpp:123:5 #33 0x611d5b in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /home/eack/libsass/src/context.cpp:324:24 #34 0x62e930 in Sass::Data_Context::parse() /home/eack/libsass/src/context.cpp:636:5 #35 0x5b9926 in Sass::sass_parse_block(Sass_Compiler*) /home/eack/libsass/src/sass_context.cpp:234:31 #36 0x5b9926 in sass_compiler_parse /home/eack/libsass/src/sass_context.cpp:483 #37 0x5b85c2 in sass_compile_context(Sass_Context*, Sass::Context*) /home/eack/libsass/src/sass_context.cpp:371:7 #38 0x5b81ac in sass_compile_data_context /home/eack/libsass/src/sass_context.cpp:456:12 #39 0x5a7069 in compile_stdin /home/eack/sassc/sassc.c:138:5 #40 0x5a81ed in main /home/eack/sassc/sassc.c:375:18 #41 0x7fdf02f2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #42 0x4aad88 in _start (/home/eack/sassc/bin/sassc+0x4aad88)0x60700000006a is located 0 bytes to the right of 74-byte region [0x607000000020,0x60700000006a)allocated by thread T0 here: #0 0x56f420 in realloc /home/eack/llvm-install/llvm-6.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107 #1 0x5a6f22 in compile_stdin /home/eack/sassc/sassc.c:112:25 #2 0x5a81ed in main /home/eack/sassc/sassc.c:375:18 #3 0x7fdf02f2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291SUMMARY: AddressSanitizer: heap-buffer-overflow /home/eack/libsass/src/prelexer.hpp:69:14 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*)Shadow bytes around the buggy address: 0x0c0e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00[02]fa fa 0x0c0e7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb==3354==ABORTING