-
Notifications
You must be signed in to change notification settings - Fork 514
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An SEGV issue detected when compiled with UBSAN #2448
Comments
|
I cannot locate the accurate location of the bug without ASAN, how to compile duktape with ASAN? |
|
Thanks! I can reproduce the issue with the poc.js 👍 |
|
With asserts enabled there's an assert failure: |
|
So this apparently happens when the infinite test() recursion reaches the maximum value stack size, and on that unwind path closing scopes doesn't work as expected. Should be relatively straightforward to figure out. |
|
Non-assert version fails with: |
|
Renaming the |
|
I think I found the root cause: when The fix might be to grow the value stack before setting up the env record, I'm trying to see if that works in a straightforward manner without other issues. |
|
The CVE says that this affects version 2.99.99. Given that there is no such version tagged is it reasonable to assume that this affects all released versions? |
|
@ddillard It affects 2.x at least so there will be a fix in v2-maintenance. |
|
hello! |
Duktape revision
Commit: 1a1b17ef
Version: 2.99.99
Build environment
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
make && make clean make build/duk-sanitize-clangTest case
poc.js
Execution & Output
$ ./duktape/build/duk-sanitize-clang poc.js ==6822==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7f704fc22000 (pc 0x0000004368e8 bp 0x7f704fc0d901 sp 0x7fffce632cc0 T6822) ==6822==The signal is caused by a READ memory access. #0 0x4368e7 in duk_push_tval /duktape/duk_api_stack.c:4314:29 #1 0x4f31ff in duk_js_close_environment_record /duktape/duk_js_var.c:724:3 #2 0x4f2913 in duk__activation_unwind_nofree_norz /duktape/duk_hthread_stacks.c:278:3 #3 0x4efd8f in duk_hthread_activation_unwind_norz /duktape/duk_hthread_stacks.c:315:2 #4 0x51f4f7 in duk__handle_longjmp /duktape/duk_js_executor.c:1437:4 #5 0x514d3f in duk__handle_executor_error /duktape/duk_js_executor.c:2900:11 #6 0x4efa37 in duk_js_execute_bytecode /duktape/duk_js_executor.c:3007:4 #7 0x4ea4ab in duk__handle_call_raw /duktape/duk_js_call.c:2242:3 #8 0x524b59 in wrapped_compile_execute /duktape/examples/cmdline/duk_cmdline.c:304:2 #9 0x520d77 in duk__handle_safe_call_inner /duktape/duk_js_call.c:2467:7 #10 0x42d5b6 in duk_handle_safe_call /duktape/duk_js_call.c:2713:3 #11 0x523ff4 in handle_fh /duktape/examples/cmdline/duk_cmdline.c:637:7 #12 0x523e4a in handle_file /duktape/examples/cmdline/duk_cmdline.c:696:11 #13 0x52370c in main /duktape/examples/cmdline/duk_cmdline.c:1653:7 #14 0x7f704ff84bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x404219 in _start (/duktape/build/duk-sanitize-clang+0x404219) UndefinedBehaviorSanitizer can not provide additional info. ==6822==ABORTINGExecution without ASAN
The text was updated successfully, but these errors were encountered: