Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow in scanner_literal_is_created #5151

Open
Qbtly opened this issue Aug 5, 2024 · 0 comments
Open

global-buffer-overflow in scanner_literal_is_created #5151

Qbtly opened this issue Aug 5, 2024 · 0 comments
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine parser Related to the JavaScript parser

Comments

@Qbtly
Copy link

Qbtly commented Aug 5, 2024

Commit ID

2dbb6f7

Build platform

Ubuntu 22.04.3

Build steps
python3 ./tools/build.py --builddir=xxx --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20
Test case
class s extends Uint32Array {  static { } const } 
const n = new s ( ) ; 
Execution steps
./jerry poc.js
Output
=================================================================
==880670==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000012211fc at pc 0x00000067e7fb bp 0x7ffddd05ca10 sp 0x7ffddd05ca08
READ of size 2 at 0x0000012211fc thread T0
    #0 0x67e7fa in scanner_literal_is_created /jerryscript/jerry-core/parser/js/js-scanner-util.c:2922:44
    #1 0x7e82c1 in parser_parse_var_statement /jerryscript/jerry-core/parser/js/js-parser-statm.c:523:15
    #2 0x7da089 in parser_parse_statements /jerryscript/jerry-core/parser/js/js-parser-statm.c:2781:9
    #3 0x663433 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2280:5
    #4 0x6611ca in parser_parse_script /jerryscript/jerry-core/parser/js/js-parser.c:3332:38
    #5 0x4ec611 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418:21
    #6 0x4ec23e in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486:10
    #7 0x80402d in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52:26
    #8 0x80432c in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26
    #9 0x4e0160 in main /jerryscript/jerry-main/main-desktop.c:156:20
    #10 0x7f0ac095fd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #11 0x7f0ac095fe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #12 0x427fd4 in _start (/jerryscript/0805/bin/jerry+0x427fd4)

0x0000012211fc is located 4 bytes to the left of global variable 'jerry_global_heap' defined in '/jerryscript/jerry-core/jcontext/jcontext.c:148:13' (0x1221200) of size 524288
0x0000012211fc is located 1108 bytes to the right of global variable 'jerry_global_context' defined in '/jerryscript/jerry-core/jcontext/jcontext.c:135:17' (0x121fc40) of size 4456
SUMMARY: AddressSanitizer: global-buffer-overflow /jerryscript/jerry-core/parser/js/js-scanner-util.c:2922:44 in scanner_literal_is_created
Shadow bytes around the buggy address:
  0x00008023c1e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008023c1f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008023c200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008023c210: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008023c220: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x00008023c230: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]
  0x00008023c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008023c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008023c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008023c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008023c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==880670==ABORTING
@LaszloLango LaszloLango added bug Undesired behaviour parser Related to the JavaScript parser fuzzing Related to fuzz testing of the engine labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine parser Related to the JavaScript parser
Projects
None yet
Development

No branches or pull requests

2 participants