Skip to content

heap-use-after-free in ecma_find_named_property #3079

New issue
New issue
Closed
#3081
Closed
heap-use-after-free in ecma_find_named_property#3079
#3081
Labels
ES2015Related to ES2015 featuresbugUndesired behaviour
@mka-sec

Description

@mka-sec
mka-sec
opened on Sep 6, 2019
Revision

57f389d

Build

./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset

OS

Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux

Test case
for (b = 0; b < 100; b++) {
    var setv = new Set();
    setv.add(1);
    setv.add(Math.SQRT2);
    setv.forEach(function(value, key, set) {
        setv.clear();
        (eval)("" + 123);
    });
}
Backtrace

Run with jerry poc.js

=================================================================
==114285==ERROR: AddressSanitizer: heap-use-after-free on address 0xf5f04ba4 at pc 0x5664b9b5 bp 0xffe37e38 sp 0xffe37e28
READ of size 1 at 0xf5f04ba4 thread T0
    #0 0x5664b9b4 in ecma_find_named_property /jerryscript/jerry-core/ecma/base/ecma-helpers.c:560
    #1 0x566bf8d9 in ecma_op_container_foreach /jerryscript/jerry-core/ecma/operations/ecma-container-object.c:469
    #2 0x566978a8 in ecma_builtin_set_prototype_object_foreach /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.c:99
    #3 0x56697752 in ecma_builtin_set_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.inc.h:44
    #4 0x566a8be1 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #5 0x566a8e42 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #6 0x566cab53 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #7 0x5674fbdf in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #8 0x56764d83 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #9 0x56765632 in vm_run /jerryscript/jerry-core/vm/vm.c:3742
    #10 0x5674ea45 in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
    #11 0x56619a9b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
    #12 0x566163ee in main /jerryscript/jerry-main/main-unix.c:743
    #13 0xf77d8e80 in __libc_start_main (/lib32/libc.so.6+0x18e80)
    #14 0x56613cc0  (/home/xyz/jerryscript/tmpmaster/jerry+0x15cc0)

0xf5f04ba4 is located 4 bytes inside of 24-byte region [0xf5f04ba0,0xf5f04bb8)
freed by thread T0 here:
    #0 0xf7a7eb74 in __interceptor_free (/usr/lib32/libasan.so.4+0xe5b74)
    #1 0x566f9d79 in jmem_heap_free_block_internal /jerryscript/jerry-core/jmem/jmem-heap.c:481
    #2 0x56628c06 in jmem_heap_free_block /jerryscript/jerry-core/jmem/jmem-heap.c:673
    #3 0x56628c06 in ecma_dealloc_property_pair /jerryscript/jerry-core/ecma/base/ecma-alloc.c:236
    #4 0x56628c06 in ecma_gc_free_object /jerryscript/jerry-core/ecma/base/ecma-gc.c:672
    #5 0x5662aad8 in ecma_gc_run /jerryscript/jerry-core/ecma/base/ecma-gc.c:1066
    #6 0x5662ae4e in ecma_free_unused_memory /jerryscript/jerry-core/ecma/base/ecma-gc.c:1124
    #7 0x566f9bbb in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:290
    #8 0x5671810c in jmem_heap_alloc_block_null_on_error /jerryscript/jerry-core/jmem/jmem-heap.c:345
    #9 0x5671810c in parser_malloc /jerryscript/jerry-core/parser/js/js-parser-mem.c:43
    #10 0x567194f7 in parser_stack_push_uint8 /jerryscript/jerry-core/parser/js/js-parser-mem.c:375
    #11 0x5673d2d1 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2459
    #12 0x567401a7 in parser_parse_script /jerryscript/jerry-core/parser/js/js-parser.c:2936
    #13 0x566c795d in ecma_op_eval_chars_buffer /jerryscript/jerry-core/ecma/operations/ecma-eval.c:104
    #14 0x566c76be in ecma_op_eval /jerryscript/jerry-core/ecma/operations/ecma-eval.c:58
    #15 0x5666ecb7 in ecma_builtin_global_object_eval /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:111
    #16 0x56672b5b in ecma_builtin_global_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:1164
    #17 0x566a8be1 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #18 0x566a8e42 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #19 0x566cab53 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #20 0x5674fbdf in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #21 0x56764d83 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #22 0x56765632 in vm_run /jerryscript/jerry-core/vm/vm.c:3742
    #23 0x566cb0a7 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:807
    #24 0x566bfbc6 in ecma_op_container_foreach /jerryscript/jerry-core/ecma/operations/ecma-container-object.c:504
    #25 0x566978a8 in ecma_builtin_set_prototype_object_foreach /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.c:99
    #26 0x56697752 in ecma_builtin_set_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.inc.h:44
    #27 0x566a8be1 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #28 0x566a8e42 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #29 0x566cab53 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #30 0x5674fbdf in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #31 0x56764d83 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #32 0x56765632 in vm_run /jerryscript/jerry-core/vm/vm.c:3742

previously allocated by thread T0 here:
    #0 0xf7a7ef34 in malloc (/usr/lib32/libasan.so.4+0xe5f34)
    #1 0x566f9b51 in jmem_heap_alloc /jerryscript/jerry-core/jmem/jmem-heap.c:258
    #2 0x566f9bc9 in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:293
    #3 0x56649e89 in jmem_heap_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:327
    #4 0x56649e89 in ecma_alloc_property_pair /jerryscript/jerry-core/ecma/base/ecma-alloc.c:223
    #5 0x56649e89 in ecma_create_property /jerryscript/jerry-core/ecma/base/ecma-helpers.c:401
    #6 0x5664a886 in ecma_create_named_data_property /jerryscript/jerry-core/ecma/base/ecma-helpers.c:486
    #7 0x566bf2b7 in ecma_op_container_set /jerryscript/jerry-core/ecma/operations/ecma-container-object.c:409
    #8 0x5669783c in ecma_builtin_set_prototype_object_add /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.c:50
    #9 0x56697669 in ecma_builtin_set_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.inc.h:41
    #10 0x566a8be1 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #11 0x566a8e42 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #12 0x566cab53 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #13 0x5674fbdf in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
    #14 0x56764d83 in vm_execute /jerryscript/jerry-core/vm/vm.c:3622
    #15 0x56765632 in vm_run /jerryscript/jerry-core/vm/vm.c:3742
    #16 0x5674ea45 in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
    #17 0x56619a9b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
    #18 0x566163ee in main /jerryscript/jerry-main/main-unix.c:743
    #19 0xf77d8e80 in __libc_start_main (/lib32/libc.so.6+0x18e80)

SUMMARY: AddressSanitizer: heap-use-after-free /jerryscript/jerry-core/ecma/base/ecma-helpers.c:560 in ecma_find_named_property
Shadow bytes around the buggy address:
  0x3ebe0920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0940: fa fa fa fa fa fa fa fa fa fa 00 00 00 fa fa fa
  0x3ebe0950: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x3ebe0960: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
=>0x3ebe0970: 00 fa fa fa[fd]fd fd fa fa fa 00 00 00 04 fa fa
  0x3ebe0980: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x3ebe0990: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x3ebe09a0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x3ebe09b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x3ebe09c0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==114285==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    ES2015Related to ES2015 featuresbugUndesired behaviour

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions