New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ecma-helpers-string.c@1221 has an out-of-bounds write (buffer overflow) #2712

Closed
mlite opened this Issue Jan 18, 2019 · 1 comment

Comments

2 participants
@mlite
Copy link

mlite commented Jan 18, 2019

Reproducing step:

  1. I use my Stensal SDK (https://stensal.com), it's free for open source project
  2. build jerryscript with stensal-c
  3. Run ./build/tests/unit-test-api-strings

The following is what I got. Notes safe_memcpy is a safe version of memcpy that does array bounds checking. You can treat it like memcpy. I think the fixes is to make sure the length is passed correctly.

DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: OOB Write:writing 15 bytes at 0xffac10dc will corrupt the adjacent data.
DTS_MSG: Diagnostic information:

  • The object to-be-written (start:0xffac10dc, size:5 bytes) is allocated at
  • file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api-strings.c::213, 8
    
  • 0xffac10dc 0xffac10e0
  • +------------------------+
  • |the object to-be-written|......
  • +------------------------+
  • ^~~~~~~~~~
  • the write starts at the object begin.
  • Stack trace (most recent call first):
    -[1] file:/home/nwang/acore/musl/src/malloc/safe_memcpy.c::18, 2
    -[2] file:/home/sbuilder/workspace/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c::1221, 5
    -[3] file:/home/sbuilder/workspace/jerryscript/jerry-core/api/jerry.c::1758, 10
    -[4] file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api-strings.c::241, 8
    -[5] file:/home/nwang/acore/musl/src/env/__libc_start_main.c::180, 11
@akosthekiss

This comment has been minimized.

Copy link
Contributor

akosthekiss commented Jan 18, 2019

@mlite Thanks for the report. It has revealed a bug in the unit tests. The problem manifests itself in the engine but because of wrong API usage.

The problem is in tests/unit-core/test-api-strings.c, around line 241:

cesu8_sz = 5;

char substring[cesu8_sz];

/// snip

cesu8_length = jerry_get_string_length (args[0]);
cesu8_sz = jerry_get_string_size (args[0]); /// BUG: substring is of fixed size, shouldn't rewrite its size
TEST_ASSERT (cesu8_length == 15);
TEST_ASSERT (cesu8_length == cesu8_sz);

sz = jerry_substring_to_char_buffer (args[0], 0, cesu8_length, (jerry_char_t *) substring, cesu8_sz); /// BUG(manifested): shouldn't try to lie about the size of substring when calling jerry_substring_to_char_buffer
TEST_ASSERT (sz = 15);
TEST_ASSERT (!strncmp (substring, "an ascii string", sz)); /// BUG(hidden): this will either cause a read overflow because substring is only 5 bytes long, or hit the assert if only the first 5 bytes of substring are filled

akosthekiss added a commit to akosthekiss/jerryscript that referenced this issue Jan 18, 2019

Fix out-of-bounds writes (buffer overflows) in unit tests
Fixes pando-project#2711
Fixes pando-project#2712

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu

robertsipka added a commit that referenced this issue Jan 21, 2019

Fix out-of-bounds writes (buffer overflows) in unit tests (#2714)
Fixes #2711
Fixes #2712

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment