A stack-overflow vulnerability in faust

[mondaylord]

Hi, developers of faust: In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):

================================================================= ==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1)

0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401

#1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#2 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9
#4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#5 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9
#7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16

SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const Thread T1 created by T0 here:

0 0x61127a in pthread_create (/faust/build/bin/faust+0x61127a)

#1 0xbaae26 in callFun(void* (*)(void*), void*) /faust/compiler/global.cpp:2225:5
#2 0xc41570 in createFactory(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, char const**, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) /faust/compiler/libcode.cpp:1321:5
#3 0xc52100 in main /faust/compiler/main.cpp:46:33
#4 0x7f1498d2dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==45152==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/faust/stack-overflow

Validation steps

cmake . -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DINCLUDE_STATIC=on -DINCLUDE_HTTP=off -DINCLUDE_OSC=off make -j ./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@

Environment

Ubuntu 16.04 Clang 10.0.1 gcc 5.5

[sletz]

This is the DSP source ?

[mondaylord]

I don't quite know if I cloned the DSP source. I just cloned this repository and build with CMAKE.

I think the code attached to this problem is as follows(/faust/compiler/boxes/ppbox.cpp:120:10)

static void streambinopShared(ostream &fout, Tree t1, const char *op, Tree t2, int curPriority, int upPriority)
{

    if (upPriority > curPriority) fout << '(';

    fout << boxppShared(t1, curPriority) << op << boxppShared(t2, curPriority);

    if (upPriority > curPriority) fout << ')';

}

And the contents in the POC is

//�.$s�
process =->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>min~999; 

[sletz]

Which version of the Faust compiler ? I cannot reproduce the problem here with current 2.60.6.

[mondaylord]

The version I tested is commit ee39a19

[sletz]

OK. They are lot of recursive functions in the compiler and even if we call them in a separated thread with a bigger stack, some of them may cause stack-overflow issue. I don't think we can solve the problem in the general case.

[andrewpollock]

If the problematic code is indeed https://github.com/grame-cncm/faust/blob/3b3e13a873db6010ca33f4819b69dc573de209da/compiler/boxes/ppbox.cpp#L110 then that was introduced in 3b3e13a873db6010ca33f4819b69dc573de209da, which looks like it was released in 2.40.0-rc1 and the offending code is still present in https://github.com/grame-cncm/faust/blob/6826bfb5214b075b3af2ae90061f8de040ac4c76/compiler/boxes/ppbox.cpp#L117 which is in the most recent release 2.60.3