Headline
CVE-2023-37770: A stack-overflow vulnerability in faust · Issue #922 · grame-cncm/faust
faust commit ee39a19 was discovered to contain a stack overflow via the component boxppShared::print() at /boxes/ppbox.cpp.
Hi, developers of faust:
In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):
=================================================================
==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1)
#0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401
#1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#2 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9
#4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
#5 0x6d9c0b in streambinopShared(std::ostream&, CTree*, char const*, CTree*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10
#6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9
#7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16
SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const
Thread T1 created by T0 here:
#0 0x61127a in pthread_create (/faust/build/bin/faust+0x61127a)
#1 0xbaae26 in callFun(void* ()(void), void*) /faust/compiler/global.cpp:2225:5
#2 0xc41570 in createFactory(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, int, char const**, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&, bool) /faust/compiler/libcode.cpp:1321:5
#3 0xc52100 in main /faust/compiler/main.cpp:46:33
#4 0x7f1498d2dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/…/csu/libc-start.c:310
==45152==ABORTING
Crash input
https://github.com/17ssDP/fuzzer_crashes/blob/main/faust/stack-overflow
Validation steps
cmake . -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DINCLUDE_STATIC=on -DINCLUDE_HTTP=off -DINCLUDE_OSC=off
make -j
./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@
Environment
Ubuntu 16.04
Clang 10.0.1
gcc 5.5