Libsass: MSVC x86_64 buffer overrun in error reporting (Regression between 3.3.5 and 3.3.6)

Created on 24 Apr 2016  ·  14Comments  ·  Source: sass/libsass

This originally comes from https://github.com/dahlia/libsass-python/pull/149

I'm having a hard time wrapping my head around exactly _why_ this happens, but I'll post what I've got so far :)

This commit seems to cause the issue I'm seeing: https://github.com/sass/libsass/commit/527f3a8 (#2025)
Checking out the revision before it (f8cad4e) seems to succeed.

My little test harness

You can view the code here if that's easier: https://github.com/asottile/libsass/commit/f40ae24025234b73ca86adece62dec0e35884eb1

main.cpp

#include <sass/context.h>
#include <iostream>

int main() {
    std::cout << "Making data context" << std::endl;
    struct Sass_Data_Context* context = sass_make_data_context(sass_copy_c_string(""));
    std::cout << "Compiling data context" << std::endl;
    sass_compile_data_context(context);
    std::cout << "Getting output context" << std::endl;
    struct Sass_Context* ctx = sass_data_context_get_context(context);
    std::cout << "Printing error status" << std::endl;
    std::cout << sass_context_get_error_status(ctx) << std::endl;
    std::cout << "Printing error message" << std::endl;
    std::cout << sass_context_get_error_message(ctx) << std::endl;
    sass_delete_data_context(context);

    return 0;
}

test.bat

"D:\Programs\VS2015\VC\BIN\amd64\cl.exe" ^
    /I.\include -ID:\Programs\VS2015\VC\INCLUDE ^
    /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT ^
    src/*.c
"D:\Programs\VS2015\VC\BIN\amd64\cl.exe" ^
    /I.\include ^
    "-ID:\Programs\VS2015\VC\INCLUDE" ^
    "-ID:\Programs\VS2015\VC\ATLMFC\INCLUDE" ^
    "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\ucrt" ^
    "-IC:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\include\um" ^
    "-IC:\Program Files (x86)\Windows Kits\8.1\include\\shared" ^
    "-IC:\Program Files (x86)\Windows Kits\8.1\include\\um" ^
    "-IC:\Program Files (x86)\Windows Kits\8.1\include\\winrt" ^
    /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT ^
    ./main.cpp src/*.cpp 
"D:\Programs\VS2015\VC\BIN\amd64\link.exe" ^
    "-LIBPATH:D:\Programs\VS2015\VC\LIB\amd64" ^
    "-LIBPATH:D:\Programs\VS2015\VC\ATLMFC\LIB\amd64" ^
    "-LIBPATH:C:\Program Files (x86)\Windows Kits\10\lib\10.0.10240.0\ucrt\x64" ^
    "-LIBPATH:C:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\lib\um\x64" ^
    "-LIBPATH:C:\Program Files (x86)\Windows Kits\8.1\lib\winv6.3\um\x64" ^
    "-INCREMENTAL:NO" "-OUT:main.exe" "-Debug" "-nologo" "-LTCG" ^
    *.obj
main.exe

Output at f8cad4e

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\cl.exe"     /I.\include -ID:\Programs\VS2015\VC\INCLUDE     /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT     src/*.c
c99func.c
cencode.c

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\cl.exe"     /I.\include     "-ID:\Programs\VS2015\VC\INCLUDE"     "-ID:\Programs\VS2015\VC\ATLMFC\INCLUDE"     "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\ucrt"     "-IC:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\include\um"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\shared"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\um"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\winrt"     /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT     ./main.cpp src/*.cpp
main.cpp
ast.cpp
base64vlq.cpp
bind.cpp
src/bind.cpp(175): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data
color_maps.cpp
constants.cpp
context.cpp
cssize.cpp
emitter.cpp
environment.cpp
error_handling.cpp
eval.cpp
expand.cpp
extend.cpp
file.cpp
functions.cpp
inspect.cpp
json.cpp
lexer.cpp
listize.cpp
Compiling...
memory_manager.cpp
node.cpp
output.cpp
parser.cpp
plugins.cpp
position.cpp
prelexer.cpp
remove_placeholders.cpp
sass.cpp
sass2scss.cpp
sass_context.cpp
sass_functions.cpp
sass_util.cpp
sass_values.cpp
source_map.cpp
to_c.cpp
to_value.cpp
units.cpp
utf8_string.cpp
util.cpp
Compiling...
values.cpp

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\link.exe"     "-LIBPATH:D:\Programs\VS2015\VC\LIB\amd64"     "-LIBPATH:D:\Programs\VS2015\VC\ATLMFC\LIB\amd64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\10\lib\10.0.10240.0\ucrt\x64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\lib\um\x64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\8.1\lib\winv6.3\um\x64"     "-INCREMENTAL:NO" "-OUT:main.exe" "-Debug" "-nologo" "-LTCG"     *.obj
Generating code
Finished generating code

C:\Users\Anthony\Desktop\git\libsass-python\libsass>main.exe
Making data context
Compiling data context
Getting output context
Printing error status
3
Printing error message
Internal Error: Data context created with empty source string

Output at 527f3a8

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\cl.exe"     /I.\include -ID:\Programs\VS2015\VC\INCLUDE     /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT     src/*.c
c99func.c
cencode.c

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\cl.exe"     /I.\include     "-ID:\Programs\VS2015\VC\INCLUDE"     "-ID:\Programs\VS2015\VC\ATLMFC\INCLUDE"     "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\ucrt"     "-IC:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\include\um"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\shared"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\um"     "-IC:\Program Files (x86)\Windows Kits\8.1\include\\winrt"     /c /nologo /W3 /WX- /GL /DNDEBUG -O2 /Oi /Zi /EHsc /MT     ./main.cpp src/*.cpp
main.cpp
ast.cpp
base64vlq.cpp
bind.cpp
src/bind.cpp(175): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data
color_maps.cpp
constants.cpp
context.cpp
cssize.cpp
emitter.cpp
environment.cpp
error_handling.cpp
eval.cpp
expand.cpp
extend.cpp
file.cpp
functions.cpp
inspect.cpp
json.cpp
lexer.cpp
listize.cpp
Compiling...
memory_manager.cpp
node.cpp
output.cpp
parser.cpp
plugins.cpp
position.cpp
prelexer.cpp
remove_placeholders.cpp
sass.cpp
sass2scss.cpp
sass_context.cpp
sass_functions.cpp
sass_util.cpp
sass_values.cpp
source_map.cpp
to_c.cpp
to_value.cpp
units.cpp
utf8_string.cpp
util.cpp
Compiling...
values.cpp

C:\Users\Anthony\Desktop\git\libsass-python\libsass>"D:\Programs\VS2015\VC\BIN\amd64\link.exe"     "-LIBPATH:D:\Programs\VS2015\VC\LIB\amd64"     "-LIBPATH:D:\Programs\VS2015\VC\ATLMFC\LIB\amd64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\10\lib\10.0.10240.0\ucrt\x64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\lib\um\x64"     "-LIBPATH:C:\Program Files (x86)\Windows Kits\8.1\lib\winv6.3\um\x64"     "-INCREMENTAL:NO" "-OUT:main.exe" "-Debug" "-nologo" "-LTCG"     *.obj
Generating code
Finished generating code

C:\Users\Anthony\Desktop\git\libsass-python\libsass>main.exe
Making data context

Attaching debugger on failure gives the following message:

Unhandled exception at 0x00007FF77A8F8814 in main.exe: Stack cookie instrumentation code detected a stack-based buffer overrun.

And drops a breakpoint at: https://github.com/sass/libsass/blob/527f3a8/src/sass_context.cpp#L143

Bug - Confirmed Dev - PR Ready
Source
picture asottile

All 14 comments

First :clap: for that bug report, pretty much on spot as we want them. If you take the time to replace D:\Programs with ProgramFiles(x86) and install visual studio in a standard path (Microsoft Visual Studio 12.0 AFAIK) next time, I will officially nominate it for the bug report of the year :grinning:

Already getting late here, but will take a quick peek ...

mgreter picture mgreter on 25 Apr 2016

Seems removing /GL (program optimization) makes the issue go away ...
To clarify, I'm getting segfault when optimization is enabled .. ok, see you have the same.
Since you say it came with the newly added try, I suspect stack unwinding problems.
This is often related to compiler options, but too soon to say anything definite.

mgreter picture mgreter on 25 Apr 2016

Will do and report back. I'm out of space on my SSD so I'll probably need to spin up a VM

asottile picture asottile on 25 Apr 2016

Changing to /GR does the trick! -- I think I can fix that up in the flags I pass to setuptools (python).

Thanks for the tip!

asottile picture asottile on 25 Apr 2016

Hmmm... this is slightly difficult to do since those are some defaults that are difficult to override -- any idea why this commit breaks /GL ?

asottile picture asottile on 25 Apr 2016

Yeah, because memory is probably more scrambled, so it is probably also easier to get segfaults via dangling pointers or buffer overruns etc. But I can already report that it is a dreaded, hard to spot "issue" we are actually not facing for the first time. Fix is underway, will write a bit more in the PR.

mgreter picture mgreter on 25 Apr 2016

<3 you're the best

asottile picture asottile on 25 Apr 2016

If you like to give it a thought yourself, this is the offending line:

sass_copy_c_string(msg_stream.str().c_str())
mgreter picture mgreter on 25 Apr 2016

See https://github.com/sass/libsass/pull/2048 for proposed fix. Thanks for the report!

mgreter picture mgreter on 25 Apr 2016

I do remember something similar to this in some code I wrote a long while back -- I thought the standard protected against the string temporary being collected but perhaps not.

This patch seems to make the code succeed:

diff --git a/src/sass_context.cpp b/src/sass_context.cpp
index e3f34af..9105866 100644
--- a/src/sass_context.cpp
+++ b/src/sass_context.cpp
@@ -140,7 +140,8 @@ extern "C" {
       json_append_member(json_err, "message", json_mkstring(e.what()));
       json_append_member(json_err, "formatted", json_mkstring(msg_stream.str().c_str()));
       try { c_ctx->error_json = json_stringify(json_err, "  "); } catch(...) {}
-      c_ctx->error_message = sass_copy_c_string(msg_stream.str().c_str());
+      std::string s = msg_stream.str();
+      c_ctx->error_message = sass_copy_c_string(s.c_str());
       c_ctx->error_text = sass_copy_c_string(e.what());
       c_ctx->error_status = 3;
       c_ctx->output_string = 0;
asottile picture asottile on 25 Apr 2016

oh sweet, we came to the same conclusion :D

asottile picture asottile on 25 Apr 2016
😄1

Yep, saw that one before with the memory management, where destructor was called in an odd ordering that lead to basically the same issue (same compiler).

mgreter picture mgreter on 25 Apr 2016
😄1

Ah, now I remember, that is exactly the reason (AFAIR) why we have the SASS_MEMORY_NEW macro for allocation of new objects. That was this PR: https://github.com/sass/libsass/pull/1462 ... not 100% sure, but my gut says they have both the same common root.

mgreter picture mgreter on 25 Apr 2016

Nice catch y'all
On 25 Apr 2016 9:29 AM, "Marcel Greter" [email protected] wrote:

Closed #2046 https://github.com/sass/libsass/issues/2046 via #2048
https://github.com/sass/libsass/pull/2048.


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
https://github.com/sass/libsass/issues/2046#event-639249983

xzyfer picture xzyfer on 25 Apr 2016
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JohnMica picture JohnMica  ·  3Comments
delijah picture delijah  ·  7Comments
xzyfer picture xzyfer  ·  11Comments
holmesmr picture holmesmr  ·  3Comments
GottZ picture GottZ  ·  3Comments