Release 60 #7

E4ck · 2019-01-10T05:54:28Z

Hi, I found a stack overflow vulnerability in version 6.0.1 (other versions have not been tested yet).
Because this project can't create issues, so I am here, I apologize for my inappropriate behavior.
This is the vulnerability I found when I fuzzed sassc, it’s an unexpected surprise, hhh
build: CXX=afl-clang-fast++ CC=afl-clang-fast AFL_USE_ASAN=1 make -C sassc -j4
reproduce: cat ~/queue/crash250 | ./sassc
This is poc
This is ASAN:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==55687==ERROR: AddressSanitizer: stack-overflow on address 0x7fff70b05ec8 (pc 0x00000049edf2 bp 0x7fff70b06750 sp 0x7fff70b05ed0 T0)
    #0 0x49edf1 in __interceptor_memcpy.part.37 /home/eack/llvm-install/llvm-6.0.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779
    #1 0x7f5df1144808 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append(char const*, unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x120808)
    #2 0x7340cd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::append(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:983:16
    #3 0x7340cd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > std::operator+<char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:4787
    #4 0xe79f90 in Sass::Simple_Selector::ns_name[abi:cxx11]() const /home/eack/libsass/src/ast_selectors.cpp:130:17
    #5 0xc6f668 in Sass::Inspect::operator()(Sass::Type_Selector*) /home/eack/libsass/src/inspect.cpp:894:21
    #6 0xc7317e in Sass::Inspect::operator()(Sass::Compound_Selector*) /home/eack/libsass/src/inspect.cpp:961:16
    #7 0xc73788 in Sass::Compound_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:419:5
    #8 0xc73788 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/eack/libsass/src/inspect.cpp:988
    #9 0xc74818 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:504:5
    #10 0xc74818 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/eack/libsass/src/inspect.cpp:1026
    #11 0xc74818 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:504:5
    #12 0xc74818 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/eack/libsass/src/inspect.cpp:1026
    #13 0xc76467 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:504:5
    #14 0xc76467 in Sass::Inspect::operator()(Sass::Selector_List*) /home/eack/libsass/src/inspect.cpp:1063
    #15 0xc725c1 in Sass::Selector_List::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:555:5
    #16 0xc725c1 in Sass::Inspect::operator()(Sass::Wrapped_Selector*) /home/eack/libsass/src/inspect.cpp:951
    #17 0xc7317e in Sass::Inspect::operator()(Sass::Compound_Selector*) /home/eack/libsass/src/inspect.cpp:961:16
===============Omit long content===============
/home/eack/libsass/src/inspect.cpp:951
    #446 0xc7317e in Sass::Inspect::operator()(Sass::Compound_Selector*) /home/eack/libsass/src/inspect.cpp:961:16
    #447 0xc73788 in Sass::Compound_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:419:5
    #448 0xc73788 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/eack/libsass/src/inspect.cpp:988
    #449 0xc74818 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/eack/libsass/src/ast_selectors.hpp:504:5
    #450 0xc74818 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/eack/libsass/src/inspect.cpp:1026

SUMMARY: AddressSanitizer: stack-overflow /home/eack/llvm-install/llvm-6.0.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779 in __interceptor_memcpy.part.37
==55687==ABORTING

git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@321716 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r323039 | kamil | 2018-01-20 15:16:16 +0100 (Sat, 20 Jan 2018) | 13 lines [compiler-rt] Implement __clear_cache() on OpenBSD/mips64 Summary: Make __clear_cache() invoke the platform's cache flush function on OpenBSD/mips64. Reviewers: krytarowski Reviewed By: krytarowski Subscribers: sdardis, dberris, arichardson, krytarowski, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D42332 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323120 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r323315 | mstorsjo | 2018-01-24 11:14:52 +0100 (Wed, 24 Jan 2018) | 9 lines [builtins] Align addresses to cache lines in __clear_cache for aarch64 This makes sure that the last cache line gets invalidated properly. This matches the example code at http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/BABJDBHI.html, and also matches what libgcc does. Differential Revision: https://reviews.llvm.org/D42196 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323338 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r323013 | petarj | 2018-01-20 01:06:07 +0100 (Sat, 20 Jan 2018) | 18 lines [TSan][MIPS] Expand sanitizer memory space to lower addresses MemToShadowImpl() maps lower addresses to a memory space out of sanitizers range. The simplest example is address 0 which is mapped to 0x2000000000 static const uptr kShadowBeg = 0x2400000000ull; but accessing the address during tsan execution will lead to a segmentation fault. This patch expands the range used by the sanitizer and ensures that 1/8 of the maximum valid address in the virtual address spaces is used for shadow memory. Patch by Milos Stojanovic. Differential Revision: https://reviews.llvm.org/D41777 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323767 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r322588 | eugenis | 2018-01-16 20:21:45 +0100 (Tue, 16 Jan 2018) | 9 lines [hwasan] Build runtime library with -fPIC, not -fPIE. Summary: -fPIE can not be used when building a shared library. Reviewers: alekseyshl, peter.smith Subscribers: kubamracek, llvm-commits, mgorny Differential Revision: https://reviews.llvm.org/D42121 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323850 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r324496 | yroux | 2018-02-07 19:27:25 +0100 (Wed, 07 Feb 2018) | 9 lines [asan] Fix filename size on linux platforms. This is a a fix for: https://bugs.llvm.org/show_bug.cgi?id=35996 Use filename limits from system headers to be synchronized with what LD_PRELOAD can handle. Differential Revision: https://reviews.llvm.org/D42900 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@324506 91177308-0d34-0410-b5e6-96231b3b80d8

------------------------------------------------------------------------ r333213 | ctopper | 2018-05-24 10:59:47 -0700 (Thu, 24 May 2018) | 16 lines sanitizer: Use pre-computed size of struct ustat for Linux <sys/ustat.h> has been removed from glibc 2.28 by: commit cf2478d53ad7071e84c724a986b56fe17f4f4ca7 Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Sun Mar 18 11:28:59 2018 +0800 Deprecate ustat syscall interface This patch uses pre-computed size of struct ustat for Linux to fix https://bugs.llvm.org/show_bug.cgi?id=37418 Patch by H.J. Lu. Differential Revision: https://reviews.llvm.org/D47281 ------------------------------------------------------------------------ git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@334776 91177308-0d34-0410-b5e6-96231b3b80d8

zmodem and others added 7 commits January 3, 2018 14:54

Creating release_60 branch off revision 321711

420c194

git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@321716 91177308-0d34-0410-b5e6-96231b3b80d8

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 60 #7

Release 60 #7

E4ck commented Jan 10, 2019

Release 60 #7

Are you sure you want to change the base?

Release 60 #7

Conversation

E4ck commented Jan 10, 2019