Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const #3178

Closed
ex7l0it opened this issue Oct 16, 2022 · 2 comments
Closed

AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const #3178

ex7l0it opened this issue Oct 16, 2022 · 2 comments
Labels
Dev - PR Ready

Comments

@ex7l0it
Copy link

ex7l0it commented Oct 16, 2022

1. Description

A stack-overflow has occurred in Sass::ComplexSelector::has_placeholder() of src/ast_selectors.cpp:464 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

2. Software version info

$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <[email protected]>
Date:   Fri Sep 9 20:41:03 2022 +0200

    Merge pull request #3176 from LilyWangLL/vcpkg-instructions
    
    Add vcpkg installation instructions
$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5

3. System version info

Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic

4. Command

./sassc/bin/sassc ./poc3

5. Result

WARNING on line 2, column 50 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 2, column 51 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3226316==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe6a56aff8 (pc 0x000000b98979 bp 0x000000000000 sp 0x7ffe6a56b000 T0)
    #0 0xb98978 in Sass::ComplexSelector::has_placeholder() const src/ast_selectors.cpp:464
    #1 0xa2f688 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:36
    #2 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #3 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22
    #4 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29
    #5 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #6 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    ...
    #325 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #326 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #327 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22
    #328 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29
    #329 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #330 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #331 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22

SUMMARY: AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const
==3226316==ABORTING

6. Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

7. POC

Download: poc3

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
@pgajdos
Copy link

pgajdos commented Sep 4, 2023

CVE-2022-43358

@ananzh ananzh mentioned this issue Sep 11, 2023
Closed
@risicle risicle mentioned this issue Oct 29, 2023
Closed
@mgreter
Copy link
Contributor

mgreter commented Dec 15, 2023

Addressed via #3184

@mgreter mgreter closed this as completed Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Dev - PR Ready
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mgreter @pgajdos @ex7l0it