Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in jmem-heap #2435

Closed
dominiakm opened this issue Jul 24, 2018 · 0 comments
Closed

Null pointer dereference in jmem-heap #2435

dominiakm opened this issue Jul 24, 2018 · 0 comments
Labels
bug Undesired behaviour critical Raises security concerns

Comments

@dominiakm
Copy link

dominiakm commented Jul 24, 2018

  • Jerry Version:
    f86d745

  • Build command:
    python tools/build.py --profile=es2015-subset --jerry-libc=OFF --clean --strip OFF --compile-flag="-g" --compile-flag="-fsanitize=address"

  • OS:
    Ubuntu 16.04

  • Test case:
    (new Int8Array(0)).filter(parseInt)

  • Result:

  =================================================================
  ==7815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000000402bc1 bp 0x000000000193 sp 0x7fff3cb1ba80 T0)
      #0 0x402bc0 in jmem_heap_free_block jerry-core/jmem/jmem-heap.c:463
      #1 0x422215  (build/bin/jerry+0x422215)
      #2 0x428231 in ecma_builtin_dispatch_routine jerry-core/ecma/builtin-objects/ecma-builtins.c:906
      #3 0x428231 in ecma_builtin_dispatch_call jerry-core/ecma/builtin-objects/ecma-builtins.c:931
      #4 0x428231 in ecma_op_function_call jerry-core/ecma/operations/ecma-function-object.c:495
      #5 0x4613f5 in opfunc_call jerry-core/vm/vm.c:436
      #6 0x4613f5 in vm_execute jerry-core/vm/vm.c:3008
      #7 0x461fda in vm_run jerry-core/vm/vm.c:3092
      #8 0x424411 in vm_run_eval jerry-core/vm/vm.c:270
      #9 0x424411 in ecma_op_eval_chars_buffer jerry-core/ecma/operations/ecma-eval.c:111
      #10 0x40274f in jerry_eval jerry-core/api/jerry.c:570
      #11 0x40274f in main jerry-main/main-unix.c:810
      #12 0x7f749b68f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
      #13 0x403148 in _start (build/bin/jerry+0x403148)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV jerry-core/jmem/jmem-heap.c:463 jmem_heap_free_block
  ==7815==ABORTING
  • Immediate cause:
    It seems that this bug is caused by triggering undefined behavior at jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:598. The second passed argument is NULL. This causes NULL dereference and allows GCC to optimize out subsequent checks for NULL. This further causes writing to null pointer, which results in a segmentation fault. Note, that because this bug occurs due to gcc optimizing out a check for NULL, this may not be reproducible with a debug build.

Please confirm if you can reproduce this issue.

This bug was discovered by Marcin Dominiak and Wojciech Rauner.

@LaszloLango LaszloLango added bug Undesired behaviour critical Raises security concerns labels Jul 24, 2018
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Jul 30, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Jul 31, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Jul 31, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Jul 31, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Aug 1, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Aug 1, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Aug 1, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Aug 1, 2018
Fixes jerryscript-project#2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
yichoi pushed a commit that referenced this issue Aug 1, 2018
Fixes #2435.

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour critical Raises security concerns
Projects
None yet
Development

No branches or pull requests

2 participants