Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-Buffer-Overflow in lexer_convert_ident_to_cesu8 /jerryscript/jerry-core/parser/js/js-lexer.c:2083:9 #5134

Open
Qbtly opened this issue Mar 26, 2024 · 1 comment · May be fixed by #5146
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer

Comments

@Qbtly
Copy link

Qbtly commented Mar 26, 2024

JerryScript revision

cefd391

Build platform

Ubuntu 22.04.3

Build steps
python ./tools/build.py --builddir=xxx --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20
Test case
import{a as "\{{91406,456}"
Execution steps
./xxx/bin/jerry poc.js
Output
Release:
=================================================================
==2144424==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005c at pc 0x559a32bf48a3 bp 0x7ffedf4f4450 sp 0x7ffedf4f4448
READ of size 1 at 0x60300000005c thread T0
    #0 0x559a32bf48a2 in lexer_convert_ident_to_cesu8 /jerryscript/jerry-core/parser/js/js-lexer.c:2083:9
    #1 0x559a32bf4e08 in lexer_convert_literal_to_chars /jerryscript/jerry-core/parser/js/js-lexer.c:2133:5
    #2 0x559a32bf5d19 in lexer_construct_literal_object /jerryscript/jerry-core/parser/js/js-lexer.c:2367:5
    #3 0x559a32b707db in scanner_check_variables /jerryscript/jerry-core/parser/js/js-scanner-util.c:2279:5
    #4 0x559a32b67485 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2274:9
    #5 0x559a32b65924 in parser_parse_script /jerryscript/jerry-core/parser/js/js-parser.c:3332:38
    #6 0x559a32ac2f38 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418:21
    #7 0x559a32ac2d34 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486:10
    #8 0x559a32c2876f in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52:26
    #9 0x559a32c2892f in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26
    #10 0x559a32abe5b2 in main /jerryscript/jerry-main/main-desktop.c:156:20
    #11 0x7f10bf46dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f10bf46de3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x559a329fe424 in _start (/jerryscript/0323re/bin/jerry+0x41424) (BuildId: efa40b4121fb9ed9276f89fc661eef85c730ab65)

0x60300000005c is located 0 bytes to the right of 28-byte region [0x603000000040,0x60300000005c)
allocated by thread T0 here:
    #0 0x559a32a83e4e in __interceptor_malloc (/jerryscript/0323re/bin/jerry+0xc6e4e) (BuildId: efa40b4121fb9ed9276f89fc661eef85c730ab65)
    #1 0x559a32c297f6 in jerry_port_source_read /jerryscript/jerry-port/common/jerry-port-fs.c:72:45
    #2 0x559a32c2866d in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:33:28
    #3 0x559a32c2892f in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /jerryscript/jerry-core/parser/js/js-lexer.c:2083:9 in lexer_convert_ident_to_cesu8
Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00[04]fa fa fa fa
  0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2144424==ABORTING
Debug:
ICE: Assertion '(byte >= LIT_CHAR_LOWERCASE_A && byte <= LIT_CHAR_LOWERCASE_F) || (byte >= LIT_CHAR_UPPERCASE_A && byte <= LIT_CHAR_UPPERCASE_F)' failed at /jerryscript/jerry-core/parser/js/js-lexer.c(lexer_unchecked_hex_to_character):178.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
@LaszloLango
Copy link
Contributor

Related to #5092

@LaszloLango LaszloLango added bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants