Different errors in jsvGetAddressOf

[hongxuchen]

We found with our fuzzer several different errors relevant to calculation of &jsVarBlocks[t>>JSVAR_BLOCK_SHIFT][t&(JSVAR_BLOCK_SIZE-1)]; when calling jsvGetAddressOfin jsvar.c. We tested on ce19241 but also reproduced them on f0d66ba and these errors can be triggered in a normal run without address sanitizer.

test_0.txt
This leads to an invalid read.

ASAN:DEADLYSIGNAL
=================================================================
==9877==ERROR: AddressSanitizer: SEGV on unknown address 0x602000349050 (pc 0x556b5cbd6afa bp 0x7ffc79cce280 sp 0x7ffc79cce260 T0)
==9877==The signal is caused by a READ memory access.
    #0 0x556b5cbd6af9 in jsvGetAddressOf src/jsvar.c:117
    #1 0x556b5cbe16f7 in jsvFindChildFromString src/jsvar.c:2414
    #2 0x556b5cbf49b3 in jspeiFindInScopes src/jsparse.c:150
    #3 0x556b5cbf846f in jspGetNamedVariable src/jsparse.c:913
    #4 0x556b5cbfbd01 in jspeFactor src/jsparse.c:1571
    #5 0x556b5cbf974b in jspeFactorFunctionCall src/jsparse.c:1200
    #6 0x556b5cbfd9b1 in jspePostfixExpression src/jsparse.c:1766
    #7 0x556b5cbfdd08 in jspeUnaryExpression src/jsparse.c:1792
    #8 0x556b5cbfdfec in __jspeBinaryExpression src/jsparse.c:1857
    #9 0x556b5cbfe3b9 in jspeBinaryExpression src/jsparse.c:1920
    #10 0x556b5cbfe607 in jspeConditionalExpression src/jsparse.c:1956
    #11 0x556b5cbfed43 in jspeAssignmentExpression src/jsparse.c:2021
    #12 0x556b5cbfeab9 in __jspeAssignmentExpression src/jsparse.c:1969
    #13 0x556b5cbfed4b in jspeAssignmentExpression src/jsparse.c:2021
    #14 0x556b5cbfed64 in jspeExpression src/jsparse.c:2027
    #15 0x556b5cc03182 in jspeStatement src/jsparse.c:2674
    #16 0x556b5cbfeeba in jspeBlockNoBrackets src/jsparse.c:2040
    #17 0x556b5cbff22c in jspeBlock src/jsparse.c:2070
    #18 0x556b5cbff2cf in jspeBlockOrStatement src/jsparse.c:2077
    #19 0x556b5cc0140d in jspeStatementFor src/jsparse.c:2379
    #20 0x556b5cc035e7 in jspeStatement src/jsparse.c:2694
    #21 0x556b5cbff2e3 in jspeBlockOrStatement src/jsparse.c:2080
    #22 0x556b5cbff3ed in jspParse src/jsparse.c:2092
    #23 0x556b5cc0464e in jspEvaluateVar src/jsparse.c:2900
    #24 0x556b5cc049a9 in jspEvaluate src/jsparse.c:2932
    #25 0x556b5ccabf05 in main targets/linux/main.c:330
    #26 0x7f149e28ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #27 0x556b5cbc71d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsvar.c:117 in jsvGetAddressOf
==9877==ABORTING

test_1.txt
This leads to an infinite call.

test_2.txt
This calculates a weird pointer address.

==7719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000048 at pc 0x55694016bafa bp 0x7ffe517aca50 sp 0x7ffe517aca40
READ of size 8 at 0x602000000048 thread T0
    #0 0x55694016baf9 in jsvGetAddressOf src/jsvar.c:117
    #1 0x5569401766f7 in jsvFindChildFromString src/jsvar.c:2414
    #2 0x5569401899b3 in jspeiFindInScopes src/jsparse.c:150
    #3 0x55694018d46f in jspGetNamedVariable src/jsparse.c:913
    #4 0x556940190d01 in jspeFactor src/jsparse.c:1571
    #5 0x55694018e74b in jspeFactorFunctionCall src/jsparse.c:1200
    #6 0x5569401929b1 in jspePostfixExpression src/jsparse.c:1766
    #7 0x556940192d08 in jspeUnaryExpression src/jsparse.c:1792
    #8 0x5569401933ac in jspeBinaryExpression src/jsparse.c:1920
    #9 0x556940193607 in jspeConditionalExpression src/jsparse.c:1956
    #10 0x556940193d43 in jspeAssignmentExpression src/jsparse.c:2021
    #11 0x556940193d64 in jspeExpression src/jsparse.c:2027
    #12 0x556940195ffc in jspeStatementFor src/jsparse.c:2337
    #13 0x5569401985e7 in jspeStatement src/jsparse.c:2694
    #14 0x5569401942e3 in jspeBlockOrStatement src/jsparse.c:2080
    #15 0x5569401943ed in jspParse src/jsparse.c:2092
    #16 0x55694019964e in jspEvaluateVar src/jsparse.c:2900
    #17 0x5569401999a9 in jspEvaluate src/jsparse.c:2932
    #18 0x556940240f05 in main targets/linux/main.c:330
    #19 0x7f075727db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #20 0x55694015c1d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)

Address 0x602000000048 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsvar.c:117 in jsvGetAddressOf
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7719==ABORTING

[gfwilliams]

Thanks - that one was nasty. You could corrupt the symbol table by using just for(Number.abcd in o);