Skip to content

heap-buffer-overflow in scanner_is_context_needed #5092

New issue
New issue
Open
Open
heap-buffer-overflow in scanner_is_context_needed#5092
Labels
bugUndesired behaviourfuzzingRelated to fuzz testing of the engineparserRelated to the JavaScript parser
@Ye0nny

Description

@Ye0nny
Ye0nny
opened on Jun 24, 2023
JerryScript revision

Commit: 05dbbd1
Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
testcase 

async function n() { 
	return 1 ; 
} 
import { 
	nFromEvent as''throw n ( ) undefined }
	1 
} 
async function from async 1; }  
async function a() { 
	var n = await 2 ; 
	return n ; 
} 
import { n }; 
return n; 
}  
var r = async function() { 
	var n = await 2; return n; 
};

// poc.js
import { nFromEvent as '' }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==1326574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf510071e at pc 0x56641307 bp 0xffa4ba68 sp 0xffa4ba58
READ of size 1 at 0xf510071e thread T0
    #0 0x56641306 in scanner_is_context_needed ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101
    #1 0x56639a78 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2267
    #2 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #3 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #4 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #5 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #6 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #7 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #8 0x565c7fb4 in _start (./jerryscript/build/bin/jerry+0x12fb4)

0xf510071e is located 0 bytes to the right of 14-byte region [0xf5100710,0xf510071e)
allocated by thread T0 here:
    #0 0xf7a88817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x565c7ae4 in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254
    #2 0x5662cd8d in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291
    #3 0x5663d2bd in scanner_malloc ./jerryscript/jerry-core/parser/js/js-scanner-util.c:93
    #4 0x5663d33d in scanner_insert_info ./jerryscript/jerry-core/parser/js/js-scanner-util.c:183
    #5 0x5663f35b in scanner_pop_literal_pool ./jerryscript/jerry-core/parser/js/js-scanner-util.c:949
    #6 0x5664e18f in scanner_scan_all ./jerryscript/jerry-core/parser/js/js-scanner.c:3366
    #7 0x5663913b in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2167
    #8 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #9 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #10 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #11 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #12 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #13 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101 in scanner_is_context_needed
Shadow bytes around the buggy address:
  0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x3ea200e0: fa fa 00[06]fa fa 00 07 fa fa 00 06 fa fa 00 03
  0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1326574==ABORTING

with debugging mode(--debug)

Outputs
ICE: Assertion 'type == SCANNER_STREAM_TYPE_VAR || type == SCANNER_STREAM_TYPE_LET || type == SCANNER_STREAM_TYPE_CONST || type == SCANNER_STREAM_TYPE_FUNC || is_import' failed at ./jerryscript/jerry-core/parser/js/js-scanner-util.c(scanner_is_context_needed):2080.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviourfuzzingRelated to fuzz testing of the engineparserRelated to the JavaScript parser

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions