stack-overflow in vm_loop

[owl337]

JerryScript revision

bd1c4df

Build platform

Ubuntu 16.04.6 LTS (Linux 4.15.0-99-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --lto=off --error-message=on --system-allocator=on

Test case

function test_1 ()
{
 'use strict';

 Object.defineProperty (Number.prototype,
                        'getter',
                        { get : function () { ((10).getter === 10) }, configurable : true });

 assert ((10).getter === 10);
 assert (typeof ((10).getter) === 'number');

 delete Number.prototype.getter;
}

test_1 ();

Output

ASAN:SIGSEGV
=================================================================
==97962==ERROR: AddressSanitizer: stack-overflow on address 0xff3a7e74 (pc 0x080b7d3c bp 0xff3a8178 sp 0xff3a7e50 T0)
    #0 0x80b7d3b in vm_loop /home/jerryscript/jerry-core/vm/vm.c:948
    #1 0x80c2d8c in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4124
    #2 0x80c32fb in vm_run /home/jerryscript/jerry-core/vm/vm.c:4232
    #3 0x8083ff1 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:886
    #4 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
    #5 0x808a4ce in ecma_op_object_find_own /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:658
    #6 0x808a810 in ecma_op_object_get_with_receiver /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:830
    #7 0x80e0828 in ecma_op_get_value_object_base /home/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c:188
    #8 0x80b6d71 in vm_op_get_value /home/jerryscript/jerry-core/vm/vm.c:141
    #9 0x80bb462 in vm_loop /home/jerryscript/jerry-core/vm/vm.c:2155
    #10 0x80c2d8c in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4124
    .......
    #246 0x8083ff1 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:886
    #247 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
    #248 0x808a4ce in ecma_op_object_find_own /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:658
    #249 0x808a810 in ecma_op_object_get_with_receiver /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:830
    #250 0x80e0828 in ecma_op_get_value_object_base /home/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c:188

SUMMARY: AddressSanitizer: stack-overflow /home/jerryscript/jerry-core/vm/vm.c:948 vm_loop
==97962==ABORTING

Credits: This vulnerability is detected by chong from OWL337.

[rerobika]

That's an expected behavior. You can use --stack-limit option when building the engine to limit the maximum amount of stack that the engine can use. Whenever this option is enabled a RangeError is thrown for this testcase.