Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-overflow on an ill-formed JS program #4754

Closed
ZhangZhuoSJTU opened this issue Aug 28, 2021 · 1 comment · Fixed by #4808
Closed

Heap-overflow on an ill-formed JS program #4754

ZhangZhuoSJTU opened this issue Aug 28, 2021 · 1 comment · Fixed by #4808
Assignees
Labels
bug Undesired behaviour parser Related to the JavaScript parser

Comments

@ZhangZhuoSJTU
Copy link

JerryScript revision
$ jerry --version
Version: 3.0.0 (5a69b183)
Build platform
$ echo "$(lsb_release -ds) ($(uname -mrs))"
Ubuntu 20.04.1 LTS (Linux 4.15.0-142-generic x86_64)
Build steps
$ python tools/build.py
Test case

There are two test cases, where jerry_poc_crash.js can trigger a direct crash of the clean-built jerry and jerry_poc_asan.js can trigger a heap-overflow of the ASAN-enabled-built jerry.

This bug is found by a naive fuzzer. And I use afl-tmin to reduce the test cases. I sincerely apologize for making them struggling.

  • jerry_poc_crash.js
R=function(){({0:0})
function x(){for(v in 0){function o(){}function x(){for(;;)for(function(){class A extends function(){for(let;;){((function(){}))}0=function(){}
class e
  • jerry_poc_asan.js
R = function() {
    function x(){
        function y(){
            for(;;)
                for(function(){
                    class A extends function() {
                        for(let;;) {
                            ((function(){}))
                        }
Execution steps
$ ~/release/jerryscript/build/bin/jerry jerry_poc_crash.js
Segmentation fault (core dumped)
$ ~/asan/jerryscript/build/bin/jerry jerry_poc_asan.js
==38036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000005692 at pc 0x55555566952c bp 0x7fffffff9020 sp 0x7fffffff9010
READ of size 1 at 0x612000005692 thread T0
    #0 0x55555566952b  (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
    #1 0x55555566a84e  (/home/docker/asan/jerryscript/build/bin/jerry+0x11684e)
    #2 0x555555589aa2  (/home/docker/asan/jerryscript/build/bin/jerry+0x35aa2)
    #3 0x55555579d5c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x2495c9)
    #4 0x5555555dead1  (/home/docker/asan/jerryscript/build/bin/jerry+0x8aad1)
    #5 0x555555633868  (/home/docker/asan/jerryscript/build/bin/jerry+0xdf868)
    #6 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #7 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #8 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #9 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #10 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #11 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #12 0x55555563e211  (/home/docker/asan/jerryscript/build/bin/jerry+0xea211)
    #13 0x5555555c1f67  (/home/docker/asan/jerryscript/build/bin/jerry+0x6df67)
    #14 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #15 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #16 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #17 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #18 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #19 0x555555625454  (/home/docker/asan/jerryscript/build/bin/jerry+0xd1454)
    #20 0x555555634129  (/home/docker/asan/jerryscript/build/bin/jerry+0xe0129)
    #21 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #22 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #23 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #24 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #25 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #26 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #27 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #28 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #29 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #30 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #31 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #32 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #33 0x5555555ca181  (/home/docker/asan/jerryscript/build/bin/jerry+0x76181)
    #34 0x5555557c982d  (/home/docker/asan/jerryscript/build/bin/jerry+0x27582d)
    #35 0x55555592b342  (/home/docker/asan/jerryscript/build/bin/jerry+0x3d7342)
    #36 0x5555555718c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x1d8c9)
    #37 0x7ffff73ba0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #38 0x555555580add  (/home/docker/asan/jerryscript/build/bin/jerry+0x2cadd)

Address 0x612000005692 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
Shadow bytes around the buggy address:
  0x0c247fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fff8ad0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38036==ABORTING
Aborted
Output

See above.

Backtrace

See above.

Expected behavior

Not to crash

@ZhangZhuoSJTU
Copy link
Author

Using c-reduce to reduce the test case, the new ones look more intuitive.

  • jerry_poc_crash.js
class a extends function
() {
    for (let ;;) 0 = function() {} class b
  • jerry_poc_asan.js
class a { b() { for (let

@rerobika rerobika self-assigned this Oct 28, 2021
@rerobika rerobika added bug Undesired behaviour parser Related to the JavaScript parser labels Oct 28, 2021
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Oct 28, 2021
This patch fixes jerryscript-project#4754

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Oct 29, 2021
This patch fixes jerryscript-project#4754

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Oct 29, 2021
This patch fixes jerryscript-project#4754

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
robertsipka pushed a commit that referenced this issue Nov 2, 2021
This patch fixes #4754

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour parser Related to the JavaScript parser
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants