A stack-overflow vulnerability in faust

[mondaylord]

Hi, developers of faust:
In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):

=================================================================
==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1)
#0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401
#1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#2 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9
#4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#5 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9
#7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const
Thread T1 created by T0 here:
#0 0x61127a in pthread_create (/faust/build/bin/faust+0x61127a)
#1 0xbaae26 in callFun(void* ()(void), void*) /faust/compiler/global.cpp:2225:5
#2 0xc41570 in createFactory(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, int, char const**, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&, bool) /faust/compiler/libcode.cpp:1321:5
#3 0xc52100 in main /faust/compiler/main.cpp:46:33
#4 0x7f1498d2dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==45152==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/faust/stack-overflow

Validation steps

cmake . -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DINCLUDE_STATIC=on -DINCLUDE_HTTP=off -DINCLUDE_OSC=off
make -j
./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@

Environment

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

[sletz]

This is the DSP source ?

[mondaylord]

I don't quite know if I cloned the DSP source.
I just cloned this repository and build with CMAKE.

I think the code attached to this problem is as follows(/faust/compiler/boxes/ppbox.cpp:120:10)

static void streambinopShared(ostream &fout, Tree t1, const char *op, Tree t2, int curPriority, int upPriority)
{

    if (upPriority > curPriority) fout << '(';

    fout << boxppShared(t1, curPriority) << op << boxppShared(t2, curPriority);

    if (upPriority > curPriority) fout << ')';

}

And the contents in the POC is

//�.$s�
process =->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>min~999; 

[sletz]

Which version of the Faust compiler ? I cannot reproduce the problem here with current 2.60.6.

[mondaylord]

The version I tested is commit ee39a19

[sletz]

OK. They are lot of recursive functions in the compiler and even if we call them in a separated thread with a bigger stack, some of them may cause stack-overflow issue. I don't think we can solve the problem in the general case.

[andrewpollock]

If the problematic code is indeed

faust/compiler/boxes/ppbox.cpp

Line 110 in 3b3e13a

static void streambinopShared(ostream &fout, Tree t1, const char *op, Tree t2, int curPriority, int upPriority)

then that was introduced in 3b3e13a, which looks like it was released in 2.40.0-rc1 and the offending code is still present in

faust/compiler/boxes/ppbox.cpp

Line 117 in 6826bfb

static void streambinopShared(ostream &fout, Tree t1, const char *op, Tree t2, int curPriority, int upPriority)

which is in the most recent release 2.60.3