-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in lit_read_code_unit_from_hex #2230
Comments
I cannot reproduce this on the latest master (685af74). |
I can still reproduce on the latest master, maybe we use different build command? mine is python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --jerry-libc=off --static-link=off --lto=off --error-message=on --system-allocator=on |
I cannot reproduce the issue either. @zhunki does it show up for you still? Below our my logs for current master for two different Ubuntu versions (with two different gccs):
|
At the end, I've managed to reproduce the issue. It seems that the original test cases missed a backslash. The proper test case is ((new RegExp("[\\u0")).exec("u")); |
This patch fixes jerryscript-project#2230 and jerryscript-project#2237. Test cases are added for both issues and also adds new cases which caused the same error. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
this is CVE-2018-11419. |
Don't close until fixed |
This patch fixes jerryscript-project#2230 and fixes jerryscript-project#2237. Test cases are added for both issues and also adds new cases which caused the same error. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
This patch fixes jerryscript-project#2230 and fixes jerryscript-project#2237.Test cases are added for both issues and also adds new cases which caused the same error.JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
This patch fixes jerryscript-project#2230 and fixes jerryscript-project#2237. Test cases are added for both issues and also adds new cases which caused the same error. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
((new RegExp("[\u0")).exec("u"));
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.5) 5.4.0 20160609
build command:
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --jerry-libc=off --static-link=off --lto=off --error-message=on --system-allocator=on
=================================================================
==9567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf580075c at pc 0x080f9f5a bp 0xffdf2a48 sp 0xffdf2a38
READ of size 1 at 0xf580075c thread T0
#0 0x80f9f59 in lit_read_code_unit_from_hex /home/b/jerryscript/jerry-core/lit/lit-char-helpers.c:443
#1 0x811df42 in re_parse_char_class /home/b/jerryscript/jerry-core/parser/regexp/re-parser.c:431
#2 0x811a7b5 in re_parse_alternative /home/b/jerryscript/jerry-core/parser/regexp/re-compiler.c:399
#3 0x811b5f7 in re_compile_bytecode /home/b/jerryscript/jerry-core/parser/regexp/re-compiler.c:564
#4 0x80e2057 in ecma_op_create_regexp_object /home/b/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:292
#5 0x80bf83b in ecma_builtin_regexp_dispatch_construct /home/b/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp.c:136
#6 0x80a0e9d in ecma_builtin_dispatch_construct /home/b/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:154
#7 0x81358b3 in opfunc_construct /home/b/jerryscript/jerry-core/vm/vm.c:475
#8 0x81358b3 in vm_execute /home/b/jerryscript/jerry-core/vm/vm.c:2849
#9 0x8137a0d in vm_run /home/b/jerryscript/jerry-core/vm/vm.c:2924
#10 0x8137a0d in vm_run_global /home/b/jerryscript/jerry-core/vm/vm.c:224
#11 0x8057509 in jerry_run /home/b/jerryscript/jerry-core/api/jerry.c:562
#12 0x804c176 in main /home/b/jerryscript/jerry-main/main-unix.c:611
#13 0xf7005636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#14 0x804f8e9 (/home/b/jerryscript/build/bin/jerry+0x804f8e9)
0xf580075c is located 0 bytes to the right of 12-byte region [0xf5800750,0xf580075c)
allocated by thread T0 here:
#0 0xf7239dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
#1 0x804f544 in jmem_heap_alloc_block_internal /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:324
#2 0x804f544 in jmem_heap_gc_and_alloc_block /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:360
#3 0x804f544 in jmem_heap_alloc_block /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:406
#4 0x80650aa in ecma_new_ecma_string_from_utf8 /home/b/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:232
#5 0x807d593 in ecma_find_or_create_literal_string /home/b/jerryscript/jerry-core/ecma/base/ecma-literal-storage.c:73
#6 0x810487a in parser_compute_indicies /home/b/jerryscript/jerry-core/parser/js/js-parser.c:201
#7 0x810487a in parser_post_processing /home/b/jerryscript/jerry-core/parser/js/js-parser.c:1441
#8 0x8110f8a in parser_parse_source /home/b/jerryscript/jerry-core/parser/js/js-parser.c:2267
#9 0x8112c78 in parser_parse_script /home/b/jerryscript/jerry-core/parser/js/js-parser.c:2764
#10 0x8056f72 in jerry_parse /home/b/jerryscript/jerry-core/api/jerry.c:388
#11 0x8056f72 in jerry_parse_named_resource /home/b/jerryscript/jerry-core/api/jerry.c:446
#12 0x804c140 in main /home/b/jerryscript/jerry-main/main-unix.c:602
#13 0xf7005636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/jerryscript/jerry-core/lit/lit-char-helpers.c:443 lit_read_code_unit_from_hex
Shadow bytes around the buggy address:
0x3eb00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eb000e0: fa fa 00 01 fa fa 00 00 fa fa 00[04]fa fa fd fa
0x3eb000f0: fa fa 00 05 fa fa 00 02 fa fa 00 06 fa fa 00 00
0x3eb00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb00130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9567==ABORTING
The text was updated successfully, but these errors were encountered: