Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: buffer-overflow (OOB read) against some invalid input (sass_context.cpp:81) #2657

Closed
hongxuchen opened this issue Jun 2, 2018 · 3 comments · Fixed by #2767
Closed

AddressSanitizer: buffer-overflow (OOB read) against some invalid input (sass_context.cpp:81) #2657

hongxuchen opened this issue Jun 2, 2018 · 3 comments · Fixed by #2767
Labels
Fuzzy

Comments

@hongxuchen
Copy link

hongxuchen commented Jun 2, 2018
edited
Loading

We found with our fuzzer some buffer over flow errors during handle_error (45f5087) against some invalid inputs when compiled with Address Sanitizer.

=================================================================
==17354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef93 at pc 0x7fd92efcd656 bp 0x7fff0a43b4f0 sp 0x7fff0a43b4e0
READ of size 1 at 0x60200000ef93 thread T0
    #0 0x7fd92efcd655 in handle_error /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:81
    #1 0x7fd92efceb9f in handle_errors /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:207
    #2 0x7fd92f35ad8d in sass_parse_block /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:253
    #3 0x7fd92f35ad8d in sass_compiler_parse /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:483
    #4 0x7fd92f35aec8 in sass_compile_context /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:371
    #5 0x402d35 in compile_file /home/xiaofei/FUZZ/sassc-orig/sassc.c:158
    #6 0x402456 in main /home/xiaofei/FUZZ/sassc-orig/sassc.c:375
    #7 0x7fd92eb2a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402748 in _start (/home/xiaofei/FUZZ/sassc-orig/install/bin/sassc+0x402748)

0x60200000ef93 is located 0 bytes to the right of 3-byte region [0x60200000ef90,0x60200000ef93)
allocated by thread T0 here:
    #0 0x7fd92f6f5602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fd92f133403 in Sass::File::read_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/xiaofei/FUZZ/libsass-orig/src/file.cpp:463

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:81 handle_error
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c047fff9dd0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 06
  0x0c047fff9de0: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 00 06
=>0x0c047fff9df0: fa fa[03]fa fa fa 00 06 fa fa fd fd fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17354==ABORTING

sample input files:
test_m001.txt
test_m002.txt
test_m003.txt
@hongxuchen
Copy link
Author

Another heap buffer overflow happens nearby:

=================================================================
==6731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efdd at pc 0x7fcdb81f7565 bp 0x7ffd03f0a200 sp 0x7ffd03f0a1f0
READ of size 1 at 0x60200000efdd thread T0
    #0 0x7fcdb81f7564 in unsigned int utf8::unchecked::next<char const*>(char const*&) utf8/unchecked.h:84
    #1 0x7fcdb7e6966e in handle_error /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp :84
    #2 0x7fcdb7e6ab9f in handle_errors /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:207
    #3 0x7fcdb81f6d8d in sass_parse_block /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:253
    #4 0x7fcdb81f6d8d in sass_compiler_parse /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:483
    #5 0x7fcdb81f6ec8 in sass_compile_context /home/xiaofei/FUZZ/libsass-orig/src/sass_context.cpp:371
    #6 0x402d35 in compile_file /home/xiaofei/FUZZ/sassc-orig/sassc.c:158
    #7 0x402456 in main /home/xiaofei/FUZZ/sassc-orig/sassc.c:375
    #8 0x7fcdb79c682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x402748 in _start (/home/xiaofei/FUZZ/sassc-orig/install/bin/sassc+0x402748)

0x60200000efdd is located 0 bytes to the right of 13-byte region [0x60200000efd0,0x60200000efdd)
allocated by thread T0 here:
    #0 0x7fcdb8591602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fcdb7fcf403 in Sass::File::read_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/xiaofei/FUZZ/libsass-orig/src/file.cpp:463

SUMMARY: AddressSanitizer: heap-buffer-overflow utf8/unchecked.h:84 unsigned int utf8::unchecked::next<char const*>(char const*&)
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c047fff9de0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 00
=>0x0c047fff9df0: fa fa 00 fa fa fa fd fa fa fa 00[05]fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==6731==ABORTING

sample inputs:
test_m004.txt
test_m005.txt

@hongxuchen hongxuchen changed the title Buffer Overflow against some invalid input Buffer Overflow against some invalid input (sass_context.cpp:81) Jun 3, 2018
@hongxuchen hongxuchen changed the title Buffer Overflow against some invalid input (sass_context.cpp:81) AddressSanitizer: buffer-overflow against some invalid input (sass_context.cpp:81) Jun 3, 2018
@hongxuchen hongxuchen changed the title AddressSanitizer: buffer-overflow against some invalid input (sass_context.cpp:81) AddressSanitizer: buffer-overflow (OOB read) against some invalid input (sass_context.cpp:81) Jun 3, 2018
@glebm glebm mentioned this issue Nov 27, 2018
Closed
@glebm
Copy link
Contributor

glebm commented Nov 27, 2018

I believe this is a bug in utf8cpp.

I've opened an issue (ledger/utfcpp#2) and sent a fix (ledger/utfcpp#3).

@glebm
Copy link
Contributor

glebm commented Nov 28, 2018

Nevermind, was looking at the wrong utfcpp mirror. The right one is probably https://github.com/nemtrif/utfcpp. Checking to see if the bug is already fixed there.

glebm added a commit to glebm/libsass that referenced this issue Nov 28, 2018
@glebm
Update utfcpp to v2.3.6
a2dff1b 
Fixes sass#2657

Incorporates the following utfcpp patches:

1. Sass addition of `retreat`.
   nemtrif/utfcpp#20

2. Fix for `replace_invalid` throwing on incomplete sequence at the end
   of the input.
   nemtrif/utfcpp#21
@glebm glebm mentioned this issue Nov 28, 2018
Merged
xzyfer pushed a commit that referenced this issue Nov 28, 2018
@glebm @xzyfer
Update utfcpp to v2.3.6
2cabd11 
Fixes #2657

Incorporates the following utfcpp patches:

1. Sass addition of `retreat`.
   nemtrif/utfcpp#20

2. Fix for `replace_invalid` throwing on incomplete sequence at the end
   of the input.
   nemtrif/utfcpp#21
@glebm glebm added the Fuzzy label Apr 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fuzzy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update utfcpp to v2.3.6 glebm/libsass
2 participants
@glebm @hongxuchen