Skip to content

Null pointer dereference in jmem-heap #2435

New issue
New issue
Closed
Closed
Null pointer dereference in jmem-heap#2435
Labels
bugUndesired behaviourcriticalRaises security concerns
@dominiakm

Description

@dominiakm
dominiakm
opened on Jul 24, 2018

  • Jerry Version:
    f86d745

  • Build command:
    python tools/build.py --profile=es2015-subset --jerry-libc=OFF --clean --strip OFF --compile-flag="-g" --compile-flag="-fsanitize=address"

  • OS:
    Ubuntu 16.04

  • Test case:
    (new Int8Array(0)).filter(parseInt)

  • Result:

  =================================================================
  ==7815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000000402bc1 bp 0x000000000193 sp 0x7fff3cb1ba80 T0)
      #0 0x402bc0 in jmem_heap_free_block jerry-core/jmem/jmem-heap.c:463
      #1 0x422215  (build/bin/jerry+0x422215)
      #2 0x428231 in ecma_builtin_dispatch_routine jerry-core/ecma/builtin-objects/ecma-builtins.c:906
      #3 0x428231 in ecma_builtin_dispatch_call jerry-core/ecma/builtin-objects/ecma-builtins.c:931
      #4 0x428231 in ecma_op_function_call jerry-core/ecma/operations/ecma-function-object.c:495
      #5 0x4613f5 in opfunc_call jerry-core/vm/vm.c:436
      #6 0x4613f5 in vm_execute jerry-core/vm/vm.c:3008
      #7 0x461fda in vm_run jerry-core/vm/vm.c:3092
      #8 0x424411 in vm_run_eval jerry-core/vm/vm.c:270
      #9 0x424411 in ecma_op_eval_chars_buffer jerry-core/ecma/operations/ecma-eval.c:111
      #10 0x40274f in jerry_eval jerry-core/api/jerry.c:570
      #11 0x40274f in main jerry-main/main-unix.c:810
      #12 0x7f749b68f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
      #13 0x403148 in _start (build/bin/jerry+0x403148)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV jerry-core/jmem/jmem-heap.c:463 jmem_heap_free_block
  ==7815==ABORTING
  • Immediate cause:
    It seems that this bug is caused by triggering undefined behavior at jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:598. The second passed argument is NULL. This causes NULL dereference and allows GCC to optimize out subsequent checks for NULL. This further causes writing to null pointer, which results in a segmentation fault. Note, that because this bug occurs due to gcc optimizing out a check for NULL, this may not be reproducible with a debug build.

Please confirm if you can reproduce this issue.

This bug was discovered by Marcin Dominiak and Wojciech Rauner.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviourcriticalRaises security concerns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions