Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in lexer_construct_literal_object #5189

Open
WS32bit opened this issue Dec 8, 2024 · 0 comments
Open

Heap-buffer-overflow in lexer_construct_literal_object #5189

WS32bit opened this issue Dec 8, 2024 · 0 comments
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine

Comments

@WS32bit
Copy link

WS32bit commented Dec 8, 2024

JerryScript revision

Commit: c509a06
Version: v3.0.0

Build platform

Ubuntu 24.04.1 LTS (Linux 6.8.0-49-generic x86_64)

Build steps
python3 ./tools/build.py --builddir=build_normal --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20
Test case
// poc.js
import{a as``,𝖊,d as"\D"
Execution steps
./jerry poc.js
Output
=================================================================
==101978==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x504000000036 at pc 0x7eed850c9eaa bp 0x7ffd367f1020 sp 0x7ffd367f07c8
READ of size 104 at 0x504000000036 thread T0
    #0 0x7eed850c9ea9 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:813
    #1 0x7eed850ca37a in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:845
    #2 0x7eed850ca37a in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:840
    #3 0x59f5b5dcc5c0 in lexer_construct_literal_object /jerryscript/jerry-core/parser/js/js-lexer.c:2420
    #4 0x59f5b5d7fc99 in scanner_check_variables /jerryscript/jerry-core/parser/js/js-scanner-util.c:2279
    #5 0x59f5b5d7996f in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2274
    #6 0x59f5b5d1f42b in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418
    #7 0x59f5b5d1f642 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486
    #8 0x59f5b5de8a46 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
    #9 0x59f5b5de8ae2 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
    #10 0x59f5b5d19d90 in main /jerryscript/jerry-main/main-desktop.c:156
    #11 0x7eed84c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7eed84c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x59f5b5d1c244 in _start (/jerryscript/build_normal/bin/jerry+0x2a244) (BuildId: 3d6b06d6d31662bc580b73f5542d8d3069a1e936)

0x504000000036 is located 0 bytes after 38-byte region [0x504000000010,0x504000000036)
allocated by thread T0 here:
    #0 0x7eed850fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x59f5b5de9388 in jerry_port_source_read /jerryscript/jerry-port/common/jerry-port-fs.c:72

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:813 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x503ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x503ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x503ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x503fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x503fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x504000000000: fa fa 00 00 00 00[06]fa fa fa fa fa fa fa fa fa
  0x504000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x504000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x504000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x504000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x504000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==101978==ABORTING
@LaszloLango LaszloLango added bug Undesired behaviour fuzzing Related to fuzz testing of the engine labels Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LaszloLango @WS32bit