Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: SEGV in xs/sources/xsDataView.c:2709:8 in fxFloat32Getter #749

Closed
eternalsakura opened this issue Dec 13, 2021 · 2 comments
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.

Comments

@eternalsakura
Copy link

Build environment

  • operating system: ubuntu20.04
  • cimmit hash: db8f973
  • compile command:
cd /pathto/moddable/xs/makefiles/lin
make debug or make release
  • test command:
export ASAN_OPTIONS=detect_leaks=0
./xst poc

poc

var f32 = new Float32Array(127);
for (var n = 7; n; n--)
    f32["sort"](function (fuzz_v21, fuzz_v22, fuzz_v23) {
        f32.length = 2;
        var fuzz_v31 = [
            "4LZ3E",
            "__proto__"
        ];
        return n;
    });

description

  • asan log
=================================================================
==2234547==ERROR: AddressSanitizer: SEGV on unknown address 0x7f24423e0ffc (pc 0x000000530514 bp 0x7fff6c350510 sp 0x7fff6c3504e0 T0)
==2234547==The signal is caused by a READ memory access.
    #0 0x530514 in fxFloat32Getter /home/sakura/moddable/xs/sources/xsDataView.c:2709:8
    #1 0x5282e8 in fxCompareTypedArrayItem /home/sakura/moddable/xs/sources/xsDataView.c:1234:3
    #2 0x52f1aa in fx_TypedArray_prototype_sort /home/sakura/moddable/xs/sources/xsDataView.c:2303:14
    #3 0x59b4b7 in fxRunID /home/sakura/moddable/xs/sources/xsRun.c:842:8
    #4 0x5b50e2 in fxRunScript /home/sakura/moddable/xs/sources/xsRun.c:4766:4
    #5 0x61567c in fxRunProgramFile /home/sakura/moddable/xs/tools/xst.c:1387:2
    #6 0x60fbef in main /home/sakura/moddable/xs/tools/xst.c:281:8
    #7 0x7f24489850b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x42e6bd in _start (/home/sakura/moddable/build/bin/lin/debug/xst+0x42e6bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/sakura/moddable/xs/sources/xsDataView.c:2709:8 in fxFloat32Getter
==2234547==ABORTING
  • release crash
[] ~/sk-afl-js/moddable_workdir <main> ~/moddable/build/bin/lin/release/xst fuzz_output/fuzzer1/crashes/id:000001,sig:06,src:017947,op:\(null\),pos:0.js
[2]    2205390 segmentation fault  ~/moddable/build/bin/lin/release/xst 
@eternalsakura eternalsakura changed the title AddressSanitizer: SEGV /home/sakura/moddable/xs/sources/xsDataView.c:2709:8 in fxFloat32Getter AddressSanitizer: SEGV in xs/sources/xsDataView.c:2709:8 in fxFloat32Getter Dec 13, 2021
@phoddie phoddie added the confirmed issue reported has been reproduced label Dec 13, 2021
@phoddie
Copy link
Collaborator

phoddie commented Dec 13, 2021

Simplified test:

var f32 = new Float32Array(127);
f32.sort(function () {
	return 1;
});

@phoddie
Copy link
Collaborator

phoddie commented Dec 21, 2021

The bug was in all TypedArray instances when used with a nonsense/malicious comparison function. This had previously been fixed for Array but the change wasn't propagated to TypedArray. Thank you.

@phoddie phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Dec 21, 2021
@phoddie phoddie closed this as completed Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.
Projects
None yet
Development

No branches or pull requests

2 participants