There are two test cases, where jerry_poc_crash.js can trigger a direct crash of the clean-built jerry and jerry_poc_asan.js can trigger a heap-overflow of the ASAN-enabled-built jerry.
This bug is found by a naive fuzzer. And I use afl-tmin to reduce the test cases. I sincerely apologize for making them struggling.
$ ~/asan/jerryscript/build/bin/jerry jerry_poc_asan.js
==38036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000005692 at pc 0x55555566952c bp 0x7fffffff9020 sp 0x7fffffff9010
READ of size 1 at 0x612000005692 thread T0
#0 0x55555566952b (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)#1 0x55555566a84e (/home/docker/asan/jerryscript/build/bin/jerry+0x11684e)#2 0x555555589aa2 (/home/docker/asan/jerryscript/build/bin/jerry+0x35aa2)#3 0x55555579d5c9 (/home/docker/asan/jerryscript/build/bin/jerry+0x2495c9)#4 0x5555555dead1 (/home/docker/asan/jerryscript/build/bin/jerry+0x8aad1)#5 0x555555633868 (/home/docker/asan/jerryscript/build/bin/jerry+0xdf868)#6 0x5555555c6462 (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)#7 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)#8 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)#9 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)#10 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)#11 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)#12 0x55555563e211 (/home/docker/asan/jerryscript/build/bin/jerry+0xea211)#13 0x5555555c1f67 (/home/docker/asan/jerryscript/build/bin/jerry+0x6df67)#14 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)#15 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)#16 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)#17 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)#18 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)#19 0x555555625454 (/home/docker/asan/jerryscript/build/bin/jerry+0xd1454)#20 0x555555634129 (/home/docker/asan/jerryscript/build/bin/jerry+0xe0129)#21 0x5555555c6462 (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)#22 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)#23 0x55555560b8c8 (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)#24 0x5555555c61c2 (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)#25 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)#26 0x55555560b8c8 (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)#27 0x5555555c61c2 (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)#28 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)#29 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)#30 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)#31 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)#32 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)#33 0x5555555ca181 (/home/docker/asan/jerryscript/build/bin/jerry+0x76181)#34 0x5555557c982d (/home/docker/asan/jerryscript/build/bin/jerry+0x27582d)#35 0x55555592b342 (/home/docker/asan/jerryscript/build/bin/jerry+0x3d7342)#36 0x5555555718c9 (/home/docker/asan/jerryscript/build/bin/jerry+0x1d8c9)#37 0x7ffff73ba0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)#38 0x555555580add (/home/docker/asan/jerryscript/build/bin/jerry+0x2cadd)
Address 0x612000005692 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
Shadow bytes around the buggy address:
0x0c247fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fff8ad0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==38036==ABORTING
Aborted
Output
See above.
Backtrace
See above.
Expected behavior
Not to crash
The text was updated successfully, but these errors were encountered:
JerryScript revision
Build platform
Build steps
Test case
There are two test cases, where
jerry_poc_crash.jscan trigger a direct crash of the clean-built jerry andjerry_poc_asan.jscan trigger a heap-overflow of the ASAN-enabled-built jerry.This bug is found by a naive fuzzer. And I use
afl-tminto reduce the test cases. I sincerely apologize for making them struggling.Execution steps
$ ~/release/jerryscript/build/bin/jerry jerry_poc_crash.js Segmentation fault (core dumped)Output
See above.
Backtrace
See above.
Expected behavior
Not to crash
The text was updated successfully, but these errors were encountered: