AddressSanitizer: null pointer dereference (SEGV) in Sass::Functions::selector_append (libsass/src/functions.cpp:2088:13)

[glem0]

Hey there, I have discovered a null pointer dereference in libsass at: functions.cpp:2088:13

Found when fuzzing commit 60f8391 of libsass, using commit aa6d5c6 of sassc as a harness.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make -C sassc -j8

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in libsass releases from 3.3.6 until the commit listed above.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ ./sassc.bin < crash.file
ASAN:DEADLYSIGNAL
=================================================================
==16225==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x0000005b8758 bp 0x7ffd5ab26780 sp 0x7ffd5ab25b80 T0)
    #0 0x5b8757 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >) /home/glenn/temp/libsass/src/functions.cpp:2088:13
    #1 0x6f6a04 in Sass::Eval::operator()(Sass::Function_Call*) /home/glenn/temp/libsass/src/eval.cpp:1030:18
    #2 0x6dbf8e in Sass::Eval::operator()(Sass::List*) /home/glenn/temp/libsass/src/eval.cpp:503:18
    #3 0x71cc5f in Sass::Expand::operator()(Sass::Assignment*) /home/glenn/temp/libsass/src/expand.cpp:330:29
    #4 0x731326 in Sass::Expand::append_block(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:808:27
    #5 0x7269e4 in Sass::Expand::operator()(Sass::While*) /home/glenn/temp/libsass/src/expand.cpp:572:7
    #6 0x731326 in Sass::Expand::append_block(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:808:27
    #7 0x714f0a in Sass::Expand::operator()(Sass::Block*) /home/glenn/temp/libsass/src/expand.cpp:81:5
    #8 0x5521f7 in Sass::Context::compile() /home/glenn/temp/libsass/src/context.cpp:659:12
    #9 0x55144c in Sass::Data_Context::parse() /home/glenn/temp/libsass/src/context.cpp:630:12
    #10 0x5200ca in Sass::sass_parse_block(Sass_Compiler*) /home/glenn/temp/libsass/src/sass_context.cpp:238:22
    #11 0x5200ca in sass_compiler_parse /home/glenn/temp/libsass/src/sass_context.cpp:487
    #12 0x51f6d9 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glenn/temp/libsass/src/sass_context.cpp:375:7
    #13 0x51707d in compile_stdin /home/glenn/temp/findsass/sassc/sassc.c:138:5
    #14 0x517a8e in main /home/glenn/temp/findsass/sassc/sassc.c:375:18
    #15 0x7f7bf2feb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x4456d8 in _start (/home/glenn/temp/findsass/sassc.bin+0x4456d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/glenn/temp/libsass/src/functions.cpp:2088:13 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, Sass::Backtrace*, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >)
==16225==ABORTING

[xzyfer]

Thanks for the report.
We confirmed this issue shares a common root cause to other reported issues.
We have assigned the selector-validation to the affected issues.

[VictorRodriguez]

@xzyfer thanks a lot for the great support, do you have the patch of the common root cause issue?

[glebm]

There are two separate issues here:

First, the & parent selector shouldn't be allowed in selector-append. Example:

div {
  a: selector-append('.menu', 'li', '&');
}

I've sent a fix for this in #2760.

---

Second is this issue:

div {
  a: selector-append('.x~~', 'li', 'a')
}

dart-sass output:

Error: Parent ".x ~ ~" is incompatible with this selector.
  a: selector-append('.x~~', 'li', 'a')
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ../../../tmp/test2.scss 2:6  root stylesheet

ruby-sass output:

Error: Invalid parent selector for "&li": ".x ~ ~"
        on line 2 of /home/glebm/tmp/test2.scss
  Use --trace for backtrace.

sassc output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==15981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x0000005e7be1 bp 0x7ffd8aa90810 sp 0x7ffd8aa90740 T0)
==15981==The signal is caused by a READ memory access.
==15981==Hint: address points to the zero page.
    #0 0x5e7be0 in Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >::concat(Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >*) /home/glebm/repos/glebm/libsass/src/ast.hpp:288:61
    #1 0x5e3fc4 in Sass::Functions::selector_append(Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Environment<Sass::SharedImpl<Sass::AST_Node> >&, Sass::Context&, char const*, Sass::ParserState, std::vector<Sass::Backtrace, std::allocator<Sass::Backtrace> >&, std::vector<Sass::SharedImpl<Sass::Selector_List>, std::allocator<Sass::SharedImpl<Sass::Selector_List> > >&) /home/glebm/repos/glebm/libsass/src/fn_selectors.cpp:144:53
    #2 0x6a1c38 in Sass::Eval::operator()(Sass::Function_Call*) /home/glebm/repos/glebm/libsass/src/eval.cpp:1060:18
    #3 0x6c3274 in Sass::Expand::operator()(Sass::Declaration*) /home/glebm/repos/glebm/libsass/src/expand.cpp:250:31
    #4 0x6cea99 in Sass::Expand::append_block(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:802:32
    #5 0x6bfbd9 in Sass::Expand::operator()(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:72:11
    #6 0x6c0b9f in Sass::Expand::operator()(Sass::Ruleset*) /home/glebm/repos/glebm/libsass/src/expand.cpp:144:27
    #7 0x6cea99 in Sass::Expand::append_block(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:802:32
    #8 0x6bfbd9 in Sass::Expand::operator()(Sass::Block*) /home/glebm/repos/glebm/libsass/src/expand.cpp:72:11
    #9 0x5768b6 in Sass::Context::compile() /home/glebm/repos/glebm/libsass/src/context.cpp:678:12
    #10 0x5758b7 in Sass::File_Context::parse() /home/glebm/repos/glebm/libsass/src/context.cpp:605:12
    #11 0x55bc76 in Sass::sass_parse_block(Sass_Compiler*) /home/glebm/repos/glebm/libsass/src/sass_context.cpp:234:31
    #12 0x55b8ba in sass_compiler_parse /home/glebm/repos/glebm/libsass/src/sass_context.cpp:483:22
    #13 0x55b539 in sass_compile_context(Sass_Context*, Sass::Context*) /home/glebm/repos/glebm/libsass/src/sass_context.cpp:371:7
    #14 0x5540f6 in compile_file /home/glebm/repos/glebm/libsass/sassc/sassc.c:158:5
    #15 0x554ab9 in main /home/glebm/repos/glebm/libsass/sassc/sassc.c:370:18
    #16 0x7ffbb3fcbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x45b839 in _start (/home/glebm/repos/glebm/libsass/sassc/bin/sassc+0x45b839)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/glebm/repos/glebm/libsass/src/ast.hpp:288:61 in Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >::concat(Sass::Vectorized<Sass::SharedImpl<Sass::Simple_Selector> >*)
==15981==ABORTING

I've sent #2762 for this one but not sure if it's the best solution.