Read null address in Sass::Inspect::operator() #3168
Description
The is a SEGV error due to reading at 0x0 address in Sass::Inspect::operator().
It happens in both (libsass 3.6.4 + sassc 3.6.1) and (libsass 3.6.5 + sassc 3.6.2) configurations.
POC file: https://github.com/zyingp/temp/blob/master/sass_crash2.scss
Build the code with ASan like : CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" make -C sassc-3.6.1 -j8
In (libsass 3.6.4 + sassc 3.6.1), the output is:
$ ./sassc_asan sass_crash2.scss
WARNING on line 14, column 10 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
WARNING on line 28, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
WARNING on line 36, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
AddressSanitizer:DEADLYSIGNAL
==22973==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000009e62b0 bp 0x000000000000 sp 0x7fffe72e6090 T0)
==22973==The signal is caused by a READ memory access.
==22973==Hint: address points to the zero page.
#0 0x9e62af in Sass::Inspect::operator()(Sass::List*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:466:24
#1 0x9da914 in Sass::Inspect::operator()(Sass::Declaration*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:184:11
#2 0x9ca26a in Sass::Output::operator()(Sass::StyleRule*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/output.cpp:172:14
#3 0x9d3c10 in Sass::Inspect::operator()(Sass::Block*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:35:20
#4 0x59a80b in Sass::Block::perform(Sass::Operation) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/ast.hpp:510:5
#5 0x59a80b in Sass::Context::render(Sass::SharedImplSass::Block) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/context.cpp:498
#6 0x56989f in sass_compiler_execute /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:454:53
#7 0x567ff2 in sass_compile_context(Sass_Context, Sass::Context*) /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:319:7
#8 0x5682da in sass_compile_file_context /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/sass_context.cpp:422:12
#9 0x55f520 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:158:5
#10 0x560afe in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/sassc-3.6.1/sassc.c:370:18
#11 0x7faae9491b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x466519 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/ASAN_BUILDS/sassc_asan+0x466519)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2020-06/libsass-3.6.4/src/inspect.cpp:466:24 in Sass::Inspect::operator()(Sass::List*)
==22973==ABORTING
In (libsass 3.6.5 + sassc 3.6.2) , the output is:
$ ./sassc ../../sass_crash2.scss
WARNING on line 14, column 10 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
WARNING on line 28, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
WARNING on line 36, column 9 of /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sass_crash2.scss:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.
AddressSanitizer:DEADLYSIGNAL
==22961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000063dd44 bp 0x000000000000 sp 0x7fffd3a8f540 T0)
==22961==The signal is caused by a READ memory access.
==22961==Hint: address points to the zero page.
#0 0x63dd43 in Sass::Inspect::operator()(Sass::List*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63dd43)
#1 0x63bc1d in Sass::Inspect::operator()(Sass::Declaration*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63bc1d)
#2 0x6389cc in Sass::Output::operator()(Sass::StyleRule*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x6389cc)
#3 0x63a9e1 in Sass::Inspect::operator()(Sass::Block*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63a9e1)
#4 0x53ebba in Sass::Context::render(Sass::SharedImplSass::Block) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x53ebba)
#5 0x52f24f in sass_compiler_execute (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52f24f)
#6 0x52eb4e in sass_compile_context(Sass_Context*, Sass::Context*) (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x52eb4e)
#7 0x52b4a6 in compile_file /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:173:5
#8 0x52bdf8 in main /mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/sassc.c:387:18
#9 0x7ff668091b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x432be9 in _start (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x432be9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/d/zyp/fuzzer/fuzzed_projects/sass/2021-10-30/sassc-3.6.2/bin/sassc+0x63dd43) in Sass::Inspect::operator()(Sass::List*)
==22961==ABORTING
Found by Fuzzing.