Read null address in Sass::SharedPtr::obj and Sass::Functions::sass_if

Question

Read null address in Sass::SharedPtr::obj and Sass::Functions::sass_if

zyingp opened this issue 3 years ago · 2 comments

The is a SEGV error due to reading at 0x0 address in Sass::Functions::sass_if.
It happens in both (libsass 3.6.4 + sassc 3.6.1) and (libsass 3.6.5 + sassc 3.6.2) configurations.

POC file: https://github.com/zyingp/temp/blob/master/sass_crash1.scss

Build the code with ASan like : CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" make -C sassc-3.6.1 -j8

In (libsass 3.6.4 + sassc 3.6.1), the output is:

`

$./sassc_asan sass_crash1.scss
DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("foobar")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("min")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("mittttttttttttttn")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function('mae("x is zero")')) instead.

AddressSanitizer:DEADLYSIGNAL

==22421==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f257b bp 0x000000000000 sp 0x7fffd873aa20 T0)
==22421==The signal is caused by a READ memory access.
==22421==Hint: address points to the zero page.
#0 0x5f257a in Sass::SharedPtr::obj() const /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/memory/shared_ptr.hpp
#1 0x5f257a in Sass::SharedImplSass::Value::operator->() const /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/memory/shared_ptr.hpp:230
#2 0x5f257a in Sass::Functions::sass_if(Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Context&, char const*, Sass::SourceSpan, std::vector<Sass::Backtrace, std::allocatorSass::Backtrace >&, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/fn_miscs.cpp:165
#3 0x8afcaa in Sass::Eval::operator()(Sass::Function_Call*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/eval.cpp:1063:18
#4 0x8f3bde in Sass::Expand::operator()(Sass::Declaration*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:335:31
#5 0x9220e8 in Sass::Expand::append_block(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:869:32
#6 0x8e450f in Sass::Expand::operator()(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:158:11
#7 0x8e77c9 in Sass::Expand::operator()(Sass::StyleRule*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:214:27
#8 0x9220e8 in Sass::Expand::append_block(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:869:32
#9 0x8e450f in Sass::Expand::operator()(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/expand.cpp:158:11
#10 0x5a0050 in Sass::Context::compile() /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/context.cpp:653:12
#11 0x59d9f2 in Sass::File_Context::parse() /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/context.cpp:582:12
#12 0x56897f in Sass::sass_parse_block(Sass_Compiler*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:181:31
#13 0x56897f in sass_compiler_parse /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:435
#14 0x567fc2 in sass_compile_context(Sass_Context*, Sass::Context*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:318:7
#15 0x5682da in sass_compile_file_context /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:422:12
#16 0x55f520 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:158:5
#17 0x560afe in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:370:18
#18 0x7f0beaa91b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#19 0x466519 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sassc_asan+0x466519)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/memory/shared_ptr.hpp in Sass::SharedPtr::obj() const
==22421==ABORTING
`

In (libsass 3.6.5 + sassc 3.6.2) , the output is:
`
$ ./sassc-3.6.2/bin/sassc sass_crash1.scss
DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("foobar")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("min")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function("mittttttttttttttn")) instead.

DEPRECATION WARNING: Passing a string to call() is deprecated and will be illegal
in Sass 4.0. Use call(get-function('mae("x is zero")')) instead.

AddressSanitizer:DEADLYSIGNAL

==22793==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055afd8 bp 0x000000000000 sp 0x7ffffa6c82e0 T0)
==22793==The signal is caused by a READ memory access.
==22793==Hint: address points to the zero page.
#0 0x55afd7 in Sass::Functions::sass_if(Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Context&, char const*, Sass::SourceSpan, std::vector<Sass::Backtrace, std::allocatorSass::Backtrace >&, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x55afd7)
#1 0x5ffd95 in Sass::Eval::operator()(Sass::Function_Call*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x5ffd95)
#2 0x60c6d3 in Sass::Expand::operator()(Sass::Declaration*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x60c6d3)
#3 0x614a7f in Sass::Expand::append_block(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x614a7f)
#4 0x60a063 in Sass::Expand::operator()(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x60a063)
#5 0x60a79f in Sass::Expand::operator()(Sass::StyleRule*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x60a79f)
#6 0x614a7f in Sass::Expand::append_block(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x614a7f)
#7 0x60a063 in Sass::Expand::operator()(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x60a063)
#8 0x5409ec in Sass::Context::compile() (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x5409ec)
#9 0x53fd83 in Sass::File_Context::parse() (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x53fd83)
#10 0x52ef0c in sass_compiler_parse (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52ef0c)
#11 0x52eb46 in sass_compile_context(Sass_Context*, Sass::Context*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52eb46)
#12 0x52b4a6 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:173:5
#13 0x52bdf8 in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:387:18
#14 0x7f8bc9891b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x432be9 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x432be9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x55afd7) in Sass::Functions::sass_if(Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Environment<Sass::SharedImplSass::AST_Node >&, Sass::Context&, char const*, Sass::SourceSpan, std::vector<Sass::Backtrace, std::allocatorSass::Backtrace >&, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >, std::vector<Sass::SharedImplSass::SelectorList, std::allocator<Sass::SharedImplSass::SelectorList > >)
==22793==ABORTING
`

Answer 1 · 2023-09-06T00:35:36.000Z

@mgreter If we're not addressing security vulnerabilities like this any more, I think it may be time to declare LibSass officially end-of-life rather than just deprecated.

Answer 2 · 2023-12-15T03:49:21.000Z

Addressed via #3184