We found with our fuzzer several different errors relevant to calculation of &jsVarBlocks[t>>JSVAR_BLOCK_SHIFT][t&(JSVAR_BLOCK_SIZE-1)]; when calling jsvGetAddressOfin jsvar.c. We tested on ce19241 but also reproduced them on f0d66ba and these errors can be triggered in a normal run without address sanitizer.
ASAN:DEADLYSIGNAL
=================================================================
==9877==ERROR: AddressSanitizer: SEGV on unknown address 0x602000349050 (pc 0x556b5cbd6afa bp 0x7ffc79cce280 sp 0x7ffc79cce260 T0)
==9877==The signal is caused by a READ memory access.
#0 0x556b5cbd6af9 in jsvGetAddressOf src/jsvar.c:117
#1 0x556b5cbe16f7 in jsvFindChildFromString src/jsvar.c:2414
#2 0x556b5cbf49b3 in jspeiFindInScopes src/jsparse.c:150
#3 0x556b5cbf846f in jspGetNamedVariable src/jsparse.c:913
#4 0x556b5cbfbd01 in jspeFactor src/jsparse.c:1571
#5 0x556b5cbf974b in jspeFactorFunctionCall src/jsparse.c:1200
#6 0x556b5cbfd9b1 in jspePostfixExpression src/jsparse.c:1766
#7 0x556b5cbfdd08 in jspeUnaryExpression src/jsparse.c:1792
#8 0x556b5cbfdfec in __jspeBinaryExpression src/jsparse.c:1857
#9 0x556b5cbfe3b9 in jspeBinaryExpression src/jsparse.c:1920
#10 0x556b5cbfe607 in jspeConditionalExpression src/jsparse.c:1956
#11 0x556b5cbfed43 in jspeAssignmentExpression src/jsparse.c:2021
#12 0x556b5cbfeab9 in __jspeAssignmentExpression src/jsparse.c:1969
#13 0x556b5cbfed4b in jspeAssignmentExpression src/jsparse.c:2021
#14 0x556b5cbfed64 in jspeExpression src/jsparse.c:2027
#15 0x556b5cc03182 in jspeStatement src/jsparse.c:2674
#16 0x556b5cbfeeba in jspeBlockNoBrackets src/jsparse.c:2040
#17 0x556b5cbff22c in jspeBlock src/jsparse.c:2070
#18 0x556b5cbff2cf in jspeBlockOrStatement src/jsparse.c:2077
#19 0x556b5cc0140d in jspeStatementFor src/jsparse.c:2379
#20 0x556b5cc035e7 in jspeStatement src/jsparse.c:2694
#21 0x556b5cbff2e3 in jspeBlockOrStatement src/jsparse.c:2080
#22 0x556b5cbff3ed in jspParse src/jsparse.c:2092
#23 0x556b5cc0464e in jspEvaluateVar src/jsparse.c:2900
#24 0x556b5cc049a9 in jspEvaluate src/jsparse.c:2932
#25 0x556b5ccabf05 in main targets/linux/main.c:330
#26 0x7f149e28ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#27 0x556b5cbc71d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsvar.c:117 in jsvGetAddressOf
==9877==ABORTING
test_2.txt
This calculates a weird pointer address.
==7719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000048 at pc 0x55694016bafa bp 0x7ffe517aca50 sp 0x7ffe517aca40
READ of size 8 at 0x602000000048 thread T0
#0 0x55694016baf9 in jsvGetAddressOf src/jsvar.c:117
#1 0x5569401766f7 in jsvFindChildFromString src/jsvar.c:2414
#2 0x5569401899b3 in jspeiFindInScopes src/jsparse.c:150
#3 0x55694018d46f in jspGetNamedVariable src/jsparse.c:913
#4 0x556940190d01 in jspeFactor src/jsparse.c:1571
#5 0x55694018e74b in jspeFactorFunctionCall src/jsparse.c:1200
#6 0x5569401929b1 in jspePostfixExpression src/jsparse.c:1766
#7 0x556940192d08 in jspeUnaryExpression src/jsparse.c:1792
#8 0x5569401933ac in jspeBinaryExpression src/jsparse.c:1920
#9 0x556940193607 in jspeConditionalExpression src/jsparse.c:1956
#10 0x556940193d43 in jspeAssignmentExpression src/jsparse.c:2021
#11 0x556940193d64 in jspeExpression src/jsparse.c:2027
#12 0x556940195ffc in jspeStatementFor src/jsparse.c:2337
#13 0x5569401985e7 in jspeStatement src/jsparse.c:2694
#14 0x5569401942e3 in jspeBlockOrStatement src/jsparse.c:2080
#15 0x5569401943ed in jspParse src/jsparse.c:2092
#16 0x55694019964e in jspEvaluateVar src/jsparse.c:2900
#17 0x5569401999a9 in jspEvaluate src/jsparse.c:2932
#18 0x556940240f05 in main targets/linux/main.c:330
#19 0x7f075727db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#20 0x55694015c1d9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x361d9)
Address 0x602000000048 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsvar.c:117 in jsvGetAddressOf
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7719==ABORTING
The text was updated successfully, but these errors were encountered:
We found with our fuzzer several different errors relevant to calculation of
&jsVarBlocks[t>>JSVAR_BLOCK_SHIFT][t&(JSVAR_BLOCK_SIZE-1)];when callingjsvGetAddressOfin jsvar.c. We tested on ce19241 but also reproduced them on f0d66ba and these errors can be triggered in a normal run without address sanitizer.test_0.txt
This leads to an invalid read.
test_1.txt
This leads to an infinite call.
test_2.txt
This calculates a weird pointer address.
The text was updated successfully, but these errors were encountered: