Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit: 53108085 Version: 2v11.251
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CCFLAGS='-g -fsanitize=address -fno-omit-frame-pointer' make clean && make
var result = (new Array(64)."a", "b",expected,actual(new Array(64))).concat(["H"]); var value = result[0]; if (value !== void 0) throw "Error" + value;
./Espruino/espruino poc.js ================================================================= =========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60 READ of size 1 at 0x7ffef778ec61 thread T0 #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910 #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581 #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442 #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469 #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622 #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160 #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786 #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955 #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991 #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050 #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165 #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124 #12 0x55e21c54da1e in jspParse src/jsparse.c:2136 #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996 #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026 #15 0x55e21c36c025 in main targets/linux/main.c:460 #16 0x7fa0f5814bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #17 0x55e21c36fbc9 in _start (/root/Espruino/espruino+0x4ebc9) Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437 This frame has 1 object(s): [32, 97) 'buf' <== Memory access at offset 97 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString Shadow bytes around the buggy address: 0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00[01]f2 f2 f2 0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00 0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =========ABORTING
The text was updated successfully, but these errors were encountered:
34fd6cd
Thanks! I believe this is now fixed if you want to check - it was an unterminated string that happened when converting an array to a function parameter
Sorry, something went wrong.
Fix for buffer overflow + segv found via fuzzing (fix #2121, fix #2122)
97ef220
Revert "fix potential buffer overflow (fix #2121)"
6c469f7
This reverts commit 34fd6cd.
Revert "Revert "fix potential buffer overflow (fix #2121)""
e298312
This reverts commit 6c469f7.
Fix regression after #2121 fix (that previously had to be reverted)
aaa9b6a
No branches or pull requests
Espruino revision
Commit: 53108085
Version: 2v11.251
Build environment
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
Test case
Execution & Output
./Espruino/espruino poc.js ================================================================= =========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60 READ of size 1 at 0x7ffef778ec61 thread T0 #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910 #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581 #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442 #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469 #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622 #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160 #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786 #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955 #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991 #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050 #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165 #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124 #12 0x55e21c54da1e in jspParse src/jsparse.c:2136 #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996 #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026 #15 0x55e21c36c025 in main targets/linux/main.c:460 #16 0x7fa0f5814bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #17 0x55e21c36fbc9 in _start (/root/Espruino/espruino+0x4ebc9) Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437 This frame has 1 object(s): [32, 97) 'buf' <== Memory access at offset 97 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString Shadow bytes around the buggy address: 0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00[01]f2 f2 f2 0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00 0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =========ABORTINGThe text was updated successfully, but these errors were encountered: