Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV src/njs_function.c:880:5 in njs_function_capture_closure #512

Closed
dramthy opened this issue Jun 1, 2022 · 1 comment
Closed

SEGV src/njs_function.c:880:5 in njs_function_capture_closure #512

dramthy opened this issue Jun 1, 2022 · 1 comment
Labels
bug duplicate fuzzer

Comments

@dramthy
Copy link

dramthy commented Jun 1, 2022

Environment

Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.5
Build   : 
     ./configure --cc=clang --address-sanitizer=YES     
     make

Proof of concept

// Minimizing 3207CD63-F0B9-4B90-BC00-9C8C184ED12E
function placeholder(){}
function main() {
var v0 = {};
var v7 = `
    var v8 = Object(-9007199254740993,-4027512271n);
`;
var v13 = `
    var v14 = (-256n)(-9007199254740993,-4027512271n);
`;
var v24 = `
    Object[-4027512271] **= -4027512271n;
    var v26 = Object(-9007199254740993,...-65536n);
`;
var v30 = `
    var v31 = Object(-9007199254740993,-4027512271n);
`;
var v34 = `
    var v35 = Object(-9007199254740993,-9007199254740993n);
`;
var v39 = `
    var v40 = undefined(-1290018985n,-4027512271n);
`;
var v46 = [-1000000.0,-1000000.0,-1000000.0];
var v54 = `
    var v55 = (-1.7976931348623157e+308)(8980,-4027512271n);
`;
var v56 = `
    (-4027512271n)[-4027512271] **= -4027512271n;
    var v57 = Object(0n,-4027512271n);
`;
function v63(v64) {
    v64[1866532165] = Map;
}
function v65(v66,v67) {
    var v74 = new Uint8ClampedArray();
    var v77 = {};
    var v78 = /gL8?/;
    var v79 = {};
    var v80 = [v77,v79,v78];
    function v82(v83) {
        v80[1866532165] = Map;
    }
    async function v86(v87,v88) {
        var v89 = await Map;
    }
    function v90(v91,v92) {
    }
    var v94 = new Promise(v90);
    var v96 = v94["catch"]();
    var v99 = {"get":Promise,"set":v86};
    var v100 = Object.defineProperty(v96,"constructor",v99);
    async function v101(v102,v103) {
        var v104 = await v100;
    }
    var v105 = v101();
    var v106 = v82(Map);
    var v107 = String();
    var v118 = `
        var v119 = Object(-9007199254740993,-4027512271n);
    `;
    var v120 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
    `;
    var v126 = `
        var v128 = [-4027512271n,Object,-4027512271n,1,v74,-4027512271n,Object,Uint8ClampedArray,8980,Object];
        var v129 = Object();
        v129[-4027512271] **= -4027512271n;
    `;
    var v136 = `
        var v137 = Object(-9007199254740993,-4027512271n,0,-4027512271n);
    `;
    var v144 = `
        var v145 = Object(-9007199254740993,-4027512271n,15034n);
    `;
    var v148 = `
        var v149 = Object(-4294967296,-4027512271n);
    `;
    var v157 = `
        var v158 = (-4027512271n)(-9007199254740993,-4027512271n);
    `;
    var v168 = `
        Object[-4027512271] **= -4027512271n;
        var v170 = Object(-9007199254740993,-4027512271n);
    `;
    var v172 = `
        var v173 = Object(-9007199254740993,-9007199254740993n);
    `;
    var v177 = `
        var v178 = undefined(-4027512271n,-4027512271n);
    `;
    var v183 = `
        var v184 = "bigint"();
        v184[-4027512271] **= -4027512271n;
        var v185 = Object(-4027512271n,-4027512271n);
    `;
    var v186 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
        var v187 = Object(-9007199254740993,-4027512271n);
    `;
    var v191 = `
        var v192 = ReferenceError(-4027512271n,-4027512271n);
    `;
    var v195 = Float64Array();
    var v200 = `
        v195[-4027512271] **= -4027512271n;
        var v201 = Object(-9007199254740993,-4027512271n);
    `;
    var v202 = `
        var v203 = Object(-4027512271n,-4027512271n);
    `;
    var v207 = `
        var v208 = (-1070059123)(-9007199254740993,-4027512271n);
    `;
    var v209 = `
        var v210 = ArrayBuffer(-4027512271n,-9007199254740993n);
    `;
    var v216 = `
        var v217 = undefined(-4027512271n,-4027512271n,Uint8ClampedArray,8980,-4027512271n);
    `;
    var v222 = `
        var v223 = (-4027512271n)();
        var v224 = v223(0n,-4027512271n);
    `;
    var v228 = `
        var v230 = Object();
        v230[-1316174388] >>= -4027512271n;
        var v232 = Object["getPrototypeOf"](v107,-4027512271n);
        var v233 = Object(-4027512271n,-4027512271n);
    `;
    var v234 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
        var v235 = Symbol(-9007199254740993,-4027512271n);
    `;
    Promise[-4294967297] = Map;
}
var v237 = new Promise(v65);
var v245 = Object();
var v246 = `
    var v247 = Object(-9007199254740993,-4027512271n);
`;
var v248 = `
    var v249 = v248();
    v249[-4027512271] **= -4027512271n;
    var v250 = Object(v245,-4027512271n);
`;
var v251 = `
    Object[-4027512271] **= -4027512271n;
    var v253 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v257 = `
    var v258 = (-4027512271n)(-9007199254740993,-2147483649n);
`;
var v261 = `
    var v262 = (-4027512271n)(v46,-4027512271n);
`;
var v268 = `
    var v269 = Error(-9007199254740993,3272380054n,Uint8ClampedArray,8980,0n);
`;
var v273 = `
    var v274 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v275 = `
    var v277 = Object();
    v277[-4027512271] **= -767560483n;
    var v278 = Object(-4027512271n,-3242169687n);
`;
var v279 = `
    (-4027512271n)[-4027512271] **= -4027512271n;
    var v280 = Object(-9007199254740993,-4027512271n);
`;
var v284 = `
    var v285 = (-9007199254740993)();
    v285[-4027512271] **= -4027512271n;
    var v286 = v285(0n,-4027512271n);
`;
var v289 = "asyncIterator"["slice"]();
var v291 = /(\S)/g;
var v292 = "wXlL2xF04r".replace(v291,v289);
var v297 = `
    undefined[-4027512271] **= -4027512271n;
    var v298 = Object(...-2691822435,2828643507n);
`;
var v300 = [30865,30865,v0];
var v301 = async (v302,v303,v304,v305,v306) => {
    var v307 = await v300;
};
}
main();

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8583==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000054 (pc 0x000000575689 bp 0x7ffecad1c930 sp 0x7ffecad1c8b0 T0)
==8583==The signal is caused by a READ memory access.
==8583==Hint: address points to the zero page.
    #0 0x575689 in njs_function_capture_closure /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:880:5
    #1 0x502426 in njs_vmcode_function /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1122:9
    #2 0x502426 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:593:23
    #3 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
    #4 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
    #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
    #6 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
    #7 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
    #8 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
    #9 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
    #10 0x7f19d5939082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #11 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:880:5 in njs_function_capture_closure
==8583==ABORTING

Credit
dramthy(@topsec alpha)
@xeioex
Copy link
Contributor

xeioex commented Jun 2, 2022

Duplicate of #506.

@xeioex xeioex closed this as completed Jun 2, 2022
@dramthy dramthy mentioned this issue Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate fuzzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeioex @dramthy