New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Out-of-bound read in main_print_unhandled_exception #4244
Comments
|
Thank you for analyzing the issue, few people are doing this. This is a great help for us! |
|
It is the same bug as #4212, but I leave this one open. affected test262-esnext tests: @dbatyai : This part of the source was refactored by edab196. |
|
https://nvd.nist.gov/vuln/detail/CVE-2020-29657 |
On line 180 of the main-utils.c,
do { ch = source_p[pos++]; jerry_port_log (JERRY_LOG_LEVEL_ERROR, "%c", ch); } while (ch != '\n' && char_count++ < SYNTAX_ERROR_MAX_LINE_LENGTH);will out-of-bound read at most 0x100 characters when an syntax error happened at the end of the input file.
JerryScript revision
0ffe166
(latest master - 2020.09.28.)
Build platform
Ubuntu 16.04.1 (Linux 4.15.0-117-generic x86_64)
Build steps
Test case
//debugger.js try { }Execution steps
Output
==46414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf640077b at pc 0x0804ac7c bp 0xffb3af18 sp 0xffb3af08 READ of size 1 at 0xf640077b thread T0 #0 0x804ac66 in main_print_unhandled_exception /home/lily/Desktop/debugger/jerryscript/jerry-main/main-utils.c:196 #1 0x80498fc in main /home/lily/Desktop/debugger/jerryscript/jerry-main/main-unix.c:142 #2 0xf782b646 in __libc_start_main (/lib32/libc.so.6+0x18646) #3 0x8049320 (/home/lily/Desktop/debugger/jerryscript/build/bin/jerry+0x8049320) 0xf640077b is located 0 bytes to the right of 27-byte region [0xf6400760,0xf640077b) allocated by thread T0 here: #0 0xf7a5ddee in malloc (/usr/lib32/libasan.so.2+0x96dee) #1 0x819498a in jerry_port_read_source /home/lily/Desktop/debugger/jerryscript/jerry-port/default/default-module.c:58 #2 0x804aaa7 in main_print_unhandled_exception /home/lily/Desktop/debugger/jerryscript/jerry-main/main-utils.c:164 #3 0x80498fc in main /home/lily/Desktop/debugger/jerryscript/jerry-main/main-unix.c:142 #4 0xf782b646 in __libc_start_main (/lib32/libc.so.6+0x18646)��'��x�^ �0��Catch or finally block expected.Y��^ �'��SyntaxE�($�^ xx ^ SyntaxError: Catch or finally block expected. [debugger.js:4:1]Expected behavior
On line 166 of the main-utils.c
/* 2. seek and print */ while (pos < source_size && curr_line < err_line) { if (source_p[pos] == '\n') { curr_line++; } pos++; }Please consider that the error line may be larger than the test case line number. The above "try" test case has just three lines, but the error happened on line 4 (a "catch" block is needed. ) The jerry_port_read_source (path_str_p, &source_size) called in the main_print_unhandled_exception need to malloc more memory to locate an error happened out of the source_size; meanwhile, the read operation on line 180 also need to be limited by the extended error location range instead of .
The text was updated successfully, but these errors were encountered: