AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const

[ex7l0it]

1. Description

A stack-overflow has occurred in Sass::ComplexSelector::has_placeholder() of src/ast_selectors.cpp:464 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

2. Software version info

$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <doyouspam@ocbnet.ch>
Date:   Fri Sep 9 20:41:03 2022 +0200

    Merge pull request #3176 from LilyWangLL/vcpkg-instructions

    Add vcpkg installation instructions

$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5

3. System version info

Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic

4. Command

./sassc/bin/sassc ./poc3

5. Result

WARNING on line 2, column 50 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 2, column 51 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3226316==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe6a56aff8 (pc 0x000000b98979 bp 0x000000000000 sp 0x7ffe6a56b000 T0)
    #0 0xb98978 in Sass::ComplexSelector::has_placeholder() const src/ast_selectors.cpp:464
    #1 0xa2f688 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:36
    #2 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #3 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22
    #4 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29
    #5 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #6 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    ...
    #325 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #326 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #327 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22
    #328 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29
    #329 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42
    #330 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52
    #331 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22

SUMMARY: AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const
==3226316==ABORTING

6. Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

7. POC

Download: poc3

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale

[pgajdos]

CVE-2022-43358

[mgreter]

Addressed via https://github.com/sass/libsass/pull/3184