Skip to content

heap-buffer-overflow in ecma_string_copy_to_cesu8_buffer #3063

New issue
New issue
Closed
#3066
Closed
heap-buffer-overflow in ecma_string_copy_to_cesu8_buffer#3063
#3066
Labels
ES2015Related to ES2015 featuresbugUndesired behaviour
@mka-sec

Description

@mka-sec
mka-sec
opened on Sep 4, 2019
Revision

1088273

Build

./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset

OS

Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux

Test case
var str = "123" + "test123";
str.repeat([1073741823]);
Backtrace

Run with jerry poc.js

=================================================================
==88915==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf54ff7f6 at pc 0xf799690e bp 0xffbbcda8 sp 0xffbbc978
WRITE of size 10 at 0xf54ff7f6 thread T0
    #0 0xf799690d  (/usr/lib32/libasan.so.4+0x7790d)
    #1 0x56717127 in ecma_string_copy_to_cesu8_buffer /jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:1040
    #2 0x56643eb5 in ecma_builtin_string_prototype_object_repeat /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1924
    #3 0x566447be in ecma_builtin_string_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2146
    #4 0x566dc3a6 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #5 0x566dc607 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #6 0x566ee96b in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #7 0x566a36b4 in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #8 0x566b48e7 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #9 0x566b51eb in vm_run /jerryscript/jerry-core/vm/vm.c:3742
    #10 0x566a294b in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
    #11 0x566fc63b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
    #12 0x566f8f9f in main /jerryscript/jerry-main/main-unix.c:743
    #13 0xf775ee80 in __libc_start_main (/lib32/libc.so.6+0x18e80)
    #14 0x56626610  (/home/xyz/jerryscript/tmpmaster/build/bin/jerry+0x16610)

0xf54ff7f6 is located 0 bytes to the right of 2147483638-byte region [0x754ff800,0xf54ff7f6)
allocated by thread T0 here:
    #0 0xf7a04f34 in malloc (/usr/lib32/libasan.so.4+0xe5f34)
    #1 0x566d1bd8 in jmem_heap_alloc /jerryscript/jerry-core/jmem/jmem-heap.c:258
    #2 0x566d1cb6 in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:293
    #3 0x566d1d48 in jmem_heap_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:327
    #4 0x56643e83 in ecma_builtin_string_prototype_object_repeat /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1918
    #5 0x566447be in ecma_builtin_string_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2146
    #6 0x566dc3a6 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #7 0x566dc607 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #8 0x566ee96b in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #9 0x566a36b4 in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #10 0x566b48e7 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #11 0x566b51eb in vm_run /jerryscript/jerry-core/vm/vm.c:3742
    #12 0x566a294b in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
    #13 0x566fc63b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
    #14 0x566f8f9f in main /jerryscript/jerry-main/main-unix.c:743
    #15 0xf775ee80 in __libc_start_main (/lib32/libc.so.6+0x18e80)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib32/libasan.so.4+0x7790d) 
Shadow bytes around the buggy address:
  0x3ea9fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea9feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea9fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea9fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea9fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3ea9fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
  0x3ea9ff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea9ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea9ff20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea9ff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea9ff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==88915==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    ES2015Related to ES2015 featuresbugUndesired behaviour

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions