Null dereference in deps/v8/src/objects/js-segments.cc:33:46

[kobrineli]

Hi! We've been fuzzing nodejs using sydr-fuzz and targets for https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs made by @stasos24.

Work environment

OS: Ubuntu 20.04
nodejs version: v16.x 7051ba4

Bug description

Null dereference in deps/v8/src/objects/js-segments.cc:33:46.

Steps to reproduce

1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs:

    sudo docker build -t oss-sydr-fuzz-nodejs .
   

2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-nodejs /bin/bash
   

3. Execute sanitizers built target with input that leads to crash (crash-60e742070198c42e30e6b26ec3d967fbfd088ead.txt
   ):

    /v8_compile_afl < crash-60e742070198c42e30e6b26ec3d967fbfd088ead.txt
   

4. You will see the following ouput:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==30==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002df857f bp 0x7ffd3b43b3d0 sp 0x7ffd3b43b280 T0)
    ==30==The signal is caused by a READ memory access.
    ==30==Hint: address points to the zero page.
        #0 0x2df857f in v8::internal::JSSegments::Create(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSSegmenter>, v8::internal::Handle<v8::internal::String>) /node_afl/out/../deps/v8/src/objects/js-segments.cc:33:46
        #1 0x2d64a2a in v8::internal::Builtin_Impl_SegmenterPrototypeSegment(v8::internal::BuiltinArguments, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:1058:3
       #2 0x2d64a2a in v8::internal::Builtin_SegmenterPrototypeSegment(int, unsigned long*, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:1048:1
       #3 0x1c04898 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit out/Release/obj.target/v8_snapshot/geni/embedded.o
   
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /node_afl/out/../deps/v8/src/objects/js-segments.cc:33:46 in v8::internal::JSSegments::Create(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSSegmenter>, v8::internal::Handle<v8::internal::String>)
    ==30==ABORTING
   

[targos]

Is this reproducible in Node.js 19/main branch ?

[kobrineli]

@targos
Just checked on the main branch. It is reproducible.

[kobrineli]

@targos
Reported this bug to v8
https://bugs.chromium.org/p/chromium/issues/detail?id=1382777