Skip to content

【fuzz】heap-buffer-overflow  #3138

New issue
New issue
Open
Open
【fuzz】heap-buffer-overflow #3138
Labels
Fuzzy
@qweryzh

Description

@qweryzh
qweryzh
opened on Dec 8, 2020

we fuzz-test about latest 3.6.4 libsass and find a heap-buffer-overflow bug to be fixed:
steps:
1、build
python3 infra/helper.py build_fuzzers --sanitizer address libsass
2、run
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer -rss_limit_mb=0
error messages listed:
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003815 at pc 0x0000005a3a27 bp 0x7ffcbbed05d0 sp 0x7ffcbbed05c8
READ of size 1 at 0x602000003815 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x5a3a26 in Sass::handle_error(Sass_Context*) /src/libsass/src/sass_context.cpp:81:28
#1 0x59d780 in handle_errors /src/libsass/src/sass_context.cpp:207:18
#2 0x59d780 in sass_parse_block /src/libsass/src/sass_context.cpp:253:19
#3 0x59d780 in sass_compiler_parse /src/libsass/src/sass_context.cpp:483:22
#4 0x59c744 in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:371:7
#5 0x599f86 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
#6 0x4a21d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#7 0x4a1915 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#8 0x4a39e7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#9 0x4a4465 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#10 0x49343e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#11 0x4bbc12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#12 0x7f390c9c482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x467b48 in _start (/out/data_context_fuzzer+0x467b48)

0x602000003815 is located 2 bytes to the right of 3-byte region [0x602000003810,0x602000003813)
allocated by thread T0 here:
#0 0x56788d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x599f00 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:4:29
#2 0x4a21d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#3 0x4a1915 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#4 0x4a39e7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#5 0x4a4465 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#6 0x49343e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#7 0x4bbc12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#8 0x7f390c9c482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsass/src/sass_context.cpp:81:28 in Sass::handle_error(Sass_Context*)
Shadow bytes around the buggy address:
0x0c047fff86b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff86c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff86d0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff86e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff86f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 02 fa
=>0x0c047fff8700: fa fa[03]fa fa fa 00 03 fa fa fd fa fa fa 06 fa
0x0c047fff8710: fa fa 00 03 fa fa fd fa fa fa 00 fa fa fa 00 00
0x0c047fff8720: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 06 fa
0x0c047fff8730: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fa fa
0x0c047fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13==ABORTING
MS: 3 CopyPart-ChangeByte-EraseBytes-; base unit: 4662e92f9aaa70ce2da332d3fc09c7d20a7f5388
0xa,0xf1,
\x0a\xf1
artifact_prefix='./'; Test unit written to ./crash-1715e03e9b724d06393bbbe585848f6ec76509fd
Base64: CvE=

hope reply it as soon as possible,thank you very much!

Metadata

Assignees

No one assigned

    Labels

    Fuzzy

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions