Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in main_print_unhandled_exception #4212

Closed
ossy-szeged opened this issue Sep 23, 2020 · 2 comments
Closed

heap-buffer-overflow in main_print_unhandled_exception #4212

ossy-szeged opened this issue Sep 23, 2020 · 2 comments

Comments

@ossy-szeged
Copy link
Contributor

JerryScript revision

3c723c9
(latest master - 2020.09.21.)

Build platform

Ubuntu 18.04.5 LTS (Linux 4.15.0-112-generic x86_64)

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --strip=off --system-allocator=on --logging=on --linker-flag=-fuse-ld=gold --error-messages=on --stack-limit=16

Test case

found by test262-esnext tests:

  • language/asi/S7.9_A5.7_T1.js
  • language/asi/S7.9_A9_T6.js
  • language/asi/S7.9_A9_T7.js
  • language/statements/try/S12.14_A16_T1.js
Output
READ of size 1 at 0xf57029de thread T0
    #0 0x565d168f in main_print_unhandled_exception /home/oszi/jerryscript/jerry-main/main-utils.c:182
    #1 0x565abbb8 in main /home/oszi/jerryscript/jerry-main/main-unix.c:140
    #2 0xf7794e90 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e90)
    #3 0x565ad663  (/home/oszi/jerryscript/build/tests/test262_tests_esnext/local/bin/jerry+0xf663)
[1600854654.57]
0xf57029de is located 0 bytes to the right of 3422-byte region [0xf5701c80,0xf57029de)
allocated by thread T0 here:
    #0 0xf7a5bf54 in malloc (/usr/lib32/libasan.so.4+0xe5f54)
    #1 0x566b62e4 in jerry_port_read_source /home/oszi/jerryscript/jerry-port/default/default-module.c:58
    #2 0x565d1194 in main_print_unhandled_exception /home/oszi/jerryscript/jerry-main/main-utils.c:161
    #3 0x565abbb8 in main /home/oszi/jerryscript/jerry-main/main-unix.c:140
    #4 0xf7794e90 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e90)
Expected behavior

not heap buffer overflow
@ossy-szeged
Copy link
Contributor Author

@dbatyai : This part of the source was refactored by edab196.

do
{
  ch = source_p[pos++];
  jerry_port_log (JERRY_LOG_LEVEL_ERROR, "%c", ch);
}
while (ch != '\n' && char_count++ < SYNTAX_ERROR_MAX_LINE_LENGTH);

The problem is here where pos < source_size isn't guaranteed, heap buffer overflow happens when pos == source_size ( == 50 with these test cases)

@ossy-szeged
Copy link
Contributor Author

Duplicated of #4244, but the other issue seems contain a little bit more details.

@ossy-szeged ossy-szeged mentioned this issue Sep 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ossy-szeged