New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test-api.c has an out-of-bounds write (buffer overflow) #2711

Closed
mlite opened this Issue Jan 18, 2019 · 1 comment

Comments

2 participants
@mlite
Copy link

mlite commented Jan 18, 2019

Reproducing steps:

  1. I use my Stensal SDK (https://stensal.com)
  2. build jerryscript with stensal-c
  3. Run ./build/tests/unit-test-api

This is what I got:

ok 148343051 148341491 0xfff0e4a8 2
ok construct 148343083 148343163 0xfff11bec 1
ok 148343251 148341491 0xfff0e4b4 0
ok object free callback

DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: OOB Write:writing 1 bytes at 0xfff11570 will corrupt the adjacent data.
DTS_MSG: Diagnostic information:

  • The object to-be-written (start:0xfff1156c, size:4 bytes) is allocated at
  • file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api.c::881, 10
    
  • 0xfff1156c 0xfff1156f
  • +------------------------+
  • |the object to-be-written|......
  • +------------------------+
  •                        ^~~~~~~~~~
    
  •    the write starts at 0xfff11570 that is right after the object end.
    
  • Stack trace (most recent call first):
    -[1] file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api.c::884, 5
    -[2] file:/home/nwang/acore/musl/src/env/__libc_start_main.c::180, 11
@akosthekiss

This comment has been minimized.

Copy link
Contributor

akosthekiss commented Jan 18, 2019

@mlite Thanks for the report. It has revealed a bug in the unit tests.

The problem is in tests/unit-core/test-api.c around lines 881-884:

char buff[jerry_get_string_length (parsed_data)]; /// BUG: buff should have +1 to its size if terminating zero will be added later manually
jerry_size_t buff_size = (jerry_size_t) jerry_get_string_length (parsed_data); /// SMELL: jerry_get_string_length is called twice in a row
jerry_string_to_char_buffer (parsed_data, (jerry_char_t *) buff, buff_size);
buff[buff_size] = '\0'; /// BUG(manifested): writing past the end of the buffer

akosthekiss added a commit to akosthekiss/jerryscript that referenced this issue Jan 18, 2019

Fix out-of-bounds writes (buffer overflows) in unit tests
Fixes pando-project#2711
Fixes pando-project#2712

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu

robertsipka added a commit that referenced this issue Jan 21, 2019

Fix out-of-bounds writes (buffer overflows) in unit tests (#2714)
Fixes #2711
Fixes #2712

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment