A stack-overflow src/ast_selectors.cpp:557 in Sass::CompoundSelector::has_real_parent_ref() const
Closed this issue · 7 comments
1. Description
A stack-overflow has occurred in Sass::CompoundSelector::has_real_parent_ref()
of src/ast_selectors.cpp:557
when running program ./sassc/bin/sassc
, this can reproduce on the lattest commit.
2. Software version info
$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <doyouspam@ocbnet.ch>
Date: Fri Sep 9 20:41:03 2022 +0200
Merge pull request #3176 from LilyWangLL/vcpkg-instructions
Add vcpkg installation instructions
$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5
3. System version info
Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic
4. Command
./sassc/bin/sassc ./poc2
5. Result
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3151197==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe016a7ff8 (pc 0x000000b9c0f5 bp 0x0c1a00000ab2 sp 0x7ffe016a8000 T0)
#0 0xb9c0f4 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:557
#1 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474
#2 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365
#3 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
#4 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564
#5 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474
#6 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365
#7 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
#8 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564
#9 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474
#10 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365
#11 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
#12 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564
...
#323 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
#324 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564
#325 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474
#326 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365
#327 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
#328 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564
#329 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474
#330 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365
#331 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337
SUMMARY: AddressSanitizer: stack-overflow src/ast_selectors.cpp:557 in Sass::CompoundSelector::has_real_parent_ref() const
==3151197==ABORTING
6. Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.
7. POC
Download: poc2
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
Any ETA on patch?
I was looking into fixing this issue but since both the code is new to me and I don't know too much about sass it is not so easy :)
The above provided backtrace isn't much helpful either since it only shows the recursive calling of has_real_parent_ref()
.
When running the POC, which is +{:not(&){_:(&)}_:0}
, I see:
#0 0x00007ffff7c73ba0 in Sass::ComplexSelector::has_real_parent_ref() const@plt () from /lib64/libsass-3.6.5.so.1
#1 0x00007ffff7d5f33a in Sass::Parser::parseComplexSelector(bool) () from /lib64/libsass-3.6.5.so.1
#2 0x00007ffff7d5f957 in Sass::Parser::parseSelectorList(bool) () from /lib64/libsass-3.6.5.so.1
#3 0x00007ffff7d36213 in Sass::Parser::parse_ruleset(Lookahead) () from /lib64/libsass-3.6.5.so.1
#4 0x00007ffff7d2f81e in Sass::Parser::parse_block_node(bool) () from /lib64/libsass-3.6.5.so.1
#5 0x00007ffff7d30215 in Sass::Parser::parse_block_nodes(bool) () from /lib64/libsass-3.6.5.so.1
#6 0x00007ffff7d30807 in Sass::Parser::parse() () from /lib64/libsass-3.6.5.so.1
#7 0x00007ffff7ceebe1 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) () from /lib64/libsass-3.6.5.so.1
So I looked into the mentioned functions, specifically parse_ruleset()
and parseSelectorList()
but knowing so little about the code it is hard to find the cause.
I'm not too optimistic given that the readme states that libsass is now deprecated.
The readme also states While it will continue to receive maintenance releases indefinitely, there are no plans to add additional features or compatibility with any new CSS or Sass features
.
I believe CVEs fall into the maintenance category :)
@mgreter @xzyfer : Does one of you maybe have some spare time to help us figure this out? That would be great! 🙏
I may have a fix at https://github.com/mgreter/libsass/tree/bugfix/x-mas-2023 (please test it), but that may be the last fix I will do for LibSass. As I never was part or had any say in the development of Sass, and also no longer working in fronted, this is merely a bugfix out of good will. You will need to move to dart sass, as that is the future, as the people involved in Sass put it.
PR: #3184