Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Different errors in jsvGetAddressOf #1437

Closed
hongxuchen opened this issue May 22, 2018 · 1 comment
Closed

Different errors in jsvGetAddressOf #1437

hongxuchen opened this issue May 22, 2018 · 1 comment

Comments

@hongxuchen
Copy link

hongxuchen commented May 22, 2018

We found with our fuzzer several different errors relevant to calculation of &jsVarBlocks[t>>JSVAR_BLOCK_SHIFT][t&(JSVAR_BLOCK_SIZE-1)]; when calling jsvGetAddressOfin jsvar.c. We tested on ce19241 but also reproduced them on f0d66ba and these errors can be triggered in a normal run without address sanitizer.

test_0.txt
This leads to an invalid read.

ASAN:DEADLYSIGNAL
=================================================================
==9877==ERROR: AddressSanitizer: SEGV on unknown address 0x602000349050 (pc 0x556b5cbd6afa bp 0x7ffc79cce280 sp 0x7ffc79cce260 T0)
==9877==The signal is caused by a READ memory access.
    #0 0x556b5cbd6af9 in jsvGetAddressOf src/jsvar.c:117
    #1 0x556b5cbe16f7 in jsvFindChildFromString src/jsvar.c:2414
    #2 0x556b5cbf49b3 in jspeiFindInScopes src/jsparse.c:150
    #3 0x556b5cbf846f in jspGetNamedVariable src/jsparse.c:913
    #4 0x556b5cbfbd01 in jspeFactor src/jsparse.c:1571
    #5 0x556b5cbf974b in jspeFactorFunctionCall src/jsparse.c:1200
    #6 0x556b5cbfd9b1 in jspePostfixExpression src/jsparse.c:1766
    #7 0x556b5cbfdd08 in jspeUnaryExpression src/jsparse.c:1792
    #8 0x556b5cbfdfec in __jspeBinaryExpression src/jsparse.c:1857
    #9 0x556b5cbfe3b9 in jspeBinaryExpression src/jsparse.c:1920
    #10 0x556b5cbfe607 in jspeConditionalExpression src/jsparse.c:1956
    #11 0x556b5cbfed43 in jspeAssignmentExpression src/jsparse.c:2021
    #12 0x556b5cbfeab9 in __jspeAssignmentExpression src/jsparse.c:1969
    #13 0x556b5cbfed4b in jspeAssignmentExpression src/jsparse.c:2021
    #14 0x556b5cbfed64 in jspeExpression src/jsparse.c:2027
    #15 0x556b5cc03182 in jspeStatement src/jsparse.c:2674
    #16 0x556b5cbfeeba in jspeBlockNoBrackets src/jsparse.c:2040
    #17 0x556b5cbff22c in jspeBlock src/jsparse.c:2070
    #18 0x556b5cbff2cf in jspeBlockOrStatement src/jsparse.c:2077
    #19 0x556b5cc0140d in jspeStatementFor src/jsparse.c:2379
    #20 0x556b5cc035e7 in jspeStatement src/jsparse.c:2694
    #21 0x556b5cbff2e3 in jspeBlockOrStatement src/jsparse.c:2080
    #22 0x556b5cbff3ed in jspParse src/jsparse.c:2092
    #23 0x556b5cc0464e in jspEvaluateVar src/jsparse.c:2900
    #24 0x556b5cc049a9 in jspEvaluate src/jsparse.c:2932
    #25 0x556b5ccabf05 in main targets/linux/main.c:330
    #26 0x7f149e28ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #27 0x556b5cbc71d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsvar.c:117 in jsvGetAddressOf
==9877==ABORTING

test_1.txt
This leads to an infinite call.

test_2.txt
This calculates a weird pointer address.

==7719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000048 at pc 0x55694016bafa bp 0x7ffe517aca50 sp 0x7ffe517aca40
READ of size 8 at 0x602000000048 thread T0
    #0 0x55694016baf9 in jsvGetAddressOf src/jsvar.c:117
    #1 0x5569401766f7 in jsvFindChildFromString src/jsvar.c:2414
    #2 0x5569401899b3 in jspeiFindInScopes src/jsparse.c:150
    #3 0x55694018d46f in jspGetNamedVariable src/jsparse.c:913
    #4 0x556940190d01 in jspeFactor src/jsparse.c:1571
    #5 0x55694018e74b in jspeFactorFunctionCall src/jsparse.c:1200
    #6 0x5569401929b1 in jspePostfixExpression src/jsparse.c:1766
    #7 0x556940192d08 in jspeUnaryExpression src/jsparse.c:1792
    #8 0x5569401933ac in jspeBinaryExpression src/jsparse.c:1920
    #9 0x556940193607 in jspeConditionalExpression src/jsparse.c:1956
    #10 0x556940193d43 in jspeAssignmentExpression src/jsparse.c:2021
    #11 0x556940193d64 in jspeExpression src/jsparse.c:2027
    #12 0x556940195ffc in jspeStatementFor src/jsparse.c:2337
    #13 0x5569401985e7 in jspeStatement src/jsparse.c:2694
    #14 0x5569401942e3 in jspeBlockOrStatement src/jsparse.c:2080
    #15 0x5569401943ed in jspParse src/jsparse.c:2092
    #16 0x55694019964e in jspEvaluateVar src/jsparse.c:2900
    #17 0x5569401999a9 in jspEvaluate src/jsparse.c:2932
    #18 0x556940240f05 in main targets/linux/main.c:330
    #19 0x7f075727db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #20 0x55694015c1d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)

Address 0x602000000048 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsvar.c:117 in jsvGetAddressOf
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7719==ABORTING
@gfwilliams
Copy link
Member

Thanks - that one was nasty. You could corrupt the symbol table by using just for(Number.abcd in o);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants