New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jerryscript-ext/arg.impl.h@106 has an out-of-bounds read #2713

Closed
mlite opened this Issue Jan 18, 2019 · 1 comment

Comments

2 participants
@mlite
Copy link

mlite commented Jan 18, 2019

The same reproducing steps like the previous issues with Stensal SDK (https://stensal.com)
Feel free to reach out to me if you need help to interprete the error message.

DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: OOB Read:reading 4 bytes at 0xfffe15ac will read undefined values.
DTS_MSG: Diagnostic information:

  • The object to-be-read (start:0xfffe15ac, size:2 bytes) is allocated at
  • file:/home/sbuilder/workspace/jerryscript/jerry-ext/include/jerryscript-ext/arg.impl.h::106, 1
    
  • 0xfffe15ac 0xfffe15ad
  • +------------------------+
  • | the object to-be-read |......
  • +------------------------+
  • ^~~~~~~~~~
  • the read starts at the object begin.
  • Stack trace (most recent call first):
    -[1] file:/home/sbuilder/workspace/jerryscript/jerry-ext/include/jerryscript-ext/arg.impl.h::106, 1
    -[2] file:/home/sbuilder/workspace/jerryscript/tests/unit-ext/test-ext-arg.c::384, 5
    -[3] file:/home/sbuilder/workspace/jerryscript/jerry-core/ecma/operations/ecma-function-object.c::744, 32
    -[4] file:/home/sbuilder/workspace/jerryscript/jerry-core/vm/vm.c::534, 24
    -[5] file:/home/sbuilder/workspace/jerryscript/jerry-core/vm/vm.c::3467, 9
    -[6] file:/home/sbuilder/workspace/jerryscript/jerry-core/vm/vm.c::3564, 10
    -[7] file:/home/sbuilder/workspace/jerryscript/jerry-core/vm/vm.c::235, 10
    -[8] file:/home/sbuilder/workspace/jerryscript/jerry-core/api/jerry.c::544, 24
    -[9] file:/home/sbuilder/workspace/jerryscript/tests/unit-ext/test-ext-arg.c::830, 23
    -[10] file:/home/nwang/acore/musl/src/env/__libc_start_main.c::180, 11
@akosthekiss

This comment has been minimized.

Copy link
Contributor

akosthekiss commented Jan 18, 2019

@mlite Thanks for the report. This may be an actual OOB read in jerry-ext.

The problem is in jerry-ext/include/jerryscript-ext/arg.impl.h around lines 97-103:

    const jerryx_arg_int_option_t int_option = { .round = (uint8_t) round_flag, .clamp = (uint8_t) clamp_flag }; \
    return (jerryx_arg_t) \
    { \
      .func = func, \
      .dest = (void *) dest, \
      .extra_info = *(uintptr_t *) &int_option \ /// BUG: int_option may be of 2 bytes only (arch/os/compiler-dependent) but it is always read as an integer of size that can store a pointer (usually 4 or 8 bytes)
    }; \

Note: other initializations of .extra_info may also need a review.

akosthekiss added a commit to akosthekiss/jerryscript that referenced this issue Jan 18, 2019

Use union to convert between jerryx_arg_int_option_t and uintptr_t
This fixes potential out-of-bounds reads in jerry-ext when dealing
with integer argument mappings.

Fixes pando-project#2713

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu

robertsipka added a commit that referenced this issue Jan 21, 2019

Use union to convert between jerryx_arg_int_option_t and uintptr_t (#…
…2718)

This fixes potential out-of-bounds reads in jerry-ext when dealing
with integer argument mappings.

Fixes #2713

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment