Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer-overflow in ecma-builtin-typedarray-prototype.c #4793

Closed
Symatrix6 opened this issue Oct 13, 2021 · 0 comments · Fixed by #4794
Closed

Buffer-overflow in ecma-builtin-typedarray-prototype.c #4793

Symatrix6 opened this issue Oct 13, 2021 · 0 comments · Fixed by #4794
Assignees
Labels
bug Undesired behaviour

Comments

@Symatrix6
Copy link

JerryScript revision

d4231e7

Build platform

Ubuntu 20.04.3 LTS (Linux 5.11.0-34-generic x86_64)

Build steps
./tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--clean --debug --strip=off --logging=on --error-messages=on \
--compile-flag=-fsanitize=address --stack-limit=20
Test case
function test(constructor, constructor2, from = [1, 2, 3, 4, 5]) {
  var modifiedConstructor = new constructor(from);
  modifiedConstructor.constructor = constructor2;
  modifiedConstructor.filter(x => x % 2 == 0);
}
test(Float64Array, Float32Array);
Output

ICE: Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c(ecma_deref_object):158.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)

Backtrace

#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f2898e32859 in __GI_abort () at abort.c:79
#2 0x0000558795034682 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-port/default/default-fatal.c:30
#3 0x0000558794fccb4a in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4 0x0000558794fccba0 in jerry_assert_fail (assertion=0x558795036db0 "object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE", file=0x558795036d68 "/home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c", function=0x558795052a90 <func.7709> "ecma_deref_object", line=158) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:87
#5 0x0000558794f80b25 in ecma_deref_object (object_p=0x55879507b990 <jerry_global_heap+1872>) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c:158
#6 0x0000558794f92037 in ecma_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1145
#7 0x0000558794f92167 in ecma_fast_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1184
#8 0x0000558794fea587 in opfunc_call (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:834
#9 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#10 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d63a0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#11 0x0000558794fb1369 in ecma_op_function_call_simple (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1145
#12 0x0000558794fb1a19 in ecma_op_function_call (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1395
#13 0x0000558794fea4a9 in opfunc_call (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:799
#14 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#15 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d65e0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#16 0x0000558794fe99c1 in vm_run_global (bytecode_p=0x55879507b6a8 <jerry_global_heap+1128>, function_object_p=0x55879507b520 <jerry_global_heap+736>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:306
#17 0x0000558794f77256 in jerry_run (func_val=739) at /home/sy/Documents/jerry/jerryscript/jerry-core/api/jerry.c:588
#18 0x0000558794f73d63 in main (argc=2, argv=0x7ffcb43d69c8) at /home/sy/Documents/jerry/jerryscript/jerry-main/main-jerry.c:173
#19 0x00007f2898e340b3 in __libc_start_main (main=0x558794f73889

, argc=2, argv=0x7ffcb43d69c8, init=, fini=, rtld_fini=, stack_end=0x7ffcb43d69b8) at ../csu/libc-start.c:308
#20 0x0000558794f737ce in _start ()

Expected behavior

memcopy() in ecma-builtin-typearray-prototype.c:467 should check type of the array give backed by filter. We have already made this crash an arbitrary read/write, if you need that PoC, please contact us.

@galpeter galpeter self-assigned this Oct 15, 2021
@galpeter galpeter added the bug Undesired behaviour label Oct 15, 2021
galpeter added a commit to galpeter/jerryscript that referenced this issue Oct 15, 2021
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.

Fixes: jerryscript-project#4793
galpeter added a commit to galpeter/jerryscript that referenced this issue Oct 15, 2021
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.

Fixes: jerryscript-project#4793

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
rerobika pushed a commit that referenced this issue Oct 20, 2021
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.

Fixes: #4793

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants