heap-buffer-overflow in parser_parse_function_statement #5076
Description
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20Test case
testcase
class s extends WeakMap { static { newObj } ; } function func0 ( [ " " ] = 2 , { static { 536870912 } has ( ) ; assert ( a instanceof s ) ) .// poc.js
class s extends WeakMap { static { } ; }
function func0 ( static { 536870912 } )Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==2433547==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf50006ac at pc 0x566ef7ff bp 0xffa35298 sp 0xffa35288
READ of size 2 at 0xf50006ac thread T0
#0 0x566ef7fe in parser_parse_function_statement /jerryscript/jerry-core/parser/js/js-parser-statm.c:696
#1 0x566f3001 in parser_parse_statements /jerryscript/jerry-core/parser/js/js-parser-statm.c:2809
#2 0x56677b25 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2280
#3 0x5660a3cf in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:412
#4 0x5660a631 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:480
#5 0x566ff644 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
#6 0x566ff701 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
#7 0x56602d04 in main /jerryscript/jerry-main/main-desktop.c:156
#8 0xf75faed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#9 0x56605fb4 in _start (/jerryscript/build/bin/jerry+0x12fb4)
0xf50006ac is located 4 bytes to the left of 8-byte region [0xf50006b0,0xf50006b8)
allocated by thread T0 here:
#0 0xf79e3817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x56605ae4 in jmem_heap_alloc /jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x5666ad8d in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x566eb5ab in parser_malloc /jerryscript/jerry-core/parser/js/js-parser-mem.c:43
#4 0x5667fc95 in scanner_create_variables /jerryscript/jerry-core/parser/js/js-scanner-util.c:2341
#5 0x56677ae1 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2277
#6 0x5660a3cf in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:412
#7 0x5660a631 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:480
#8 0x566ff644 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
#9 0x566ff701 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
#10 0x56602d04 in main /jerryscript/jerry-main/main-desktop.c:156
#11 0xf75faed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aifuzz/targets/jerryscript_afl_asan2/jerry-core/parser/js/js-parser-statm.c:696 in parser_parse_function_statement
Shadow bytes around the buggy address:
0x3ea00080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea000c0: fa fa 05 fa fa fa 00 00 fa fa 00 07 fa fa 05 fa
=>0x3ea000d0: fa fa fd fd fa[fa]00 fa fa fa 00 04 fa fa fd fd
0x3ea000e0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 03
0x3ea000f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
0x3ea00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2433547==ABORTINGwith debugging mode(--debug)
Outputs
ICE: Assertion 'context_p->scope_stack_top >= 2' failed at /jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_function_statement):691.
Error: JERRY_FATAL_FAILED_ASSERTION
If I had to guess, This seems to be happening due to similar reasons as #5056.