Open
Description
openedon Aug 15, 2024
version:
$ git show
commit 3ac496802862347c5cf8f0b6e3825163dc7bb1c9 (HEAD -> master, origin/master, origin/HEAD)
Author: Dmitry Volyntsev <[xeioex@nginx.com](mailto:xeioex@nginx.com)>
Date: Thu Jul 25 17:28:37 2024 -0700
Tests: adapting unsafe redirect test for QuickJS.
At the moment QuickJS has no API for getting strings
with NUL characters in the middle of the string.
Instead of a NUL byte make another unsafe redirect URI.
system:
$ uname -a
Linux gandalf-ThinkPad-T14-Gen-3 6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Reproduce
njs/build/njs_fuzzilli poc_file.js
poc_file.js
const v0 = [Infinity,0.7856315572115781,-Infinity,-1000000000000.0,-1000000000.0];
async function f1(a2, a3) {
let v4 = await a2;
function f5(a6, a7) {
return v4 >>>= v0;
}
f5();
function f9() {
f5 /= f5;
return v0;
}
return v0;
}
f1(f1, f1);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
//
// STDOUT:
//
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=njs --storagePath=Targets/njs/out /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli --resume
// TARGET ARGS: /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli fuzz
// CONTRIBUTORS: NumberComputationGenerator, ArrayGenerator, ElementAssignmentGenerator, FunctionCallGenerator, TrivialFunctionGenerator, SpliceMutator, TypedArrayGenerator, OperationMutator, WellKnownPropertyStoreGenerator, CodeGenMutator, UpdateGenerator
// EXECUTION TIME: 11ms
asan report
/home/gandalf/fuzzilli/Targets/njs/out/crashes/program_20240814004355_CAD133B9-FC51-48A1-B2BC-60C73BAE045D_deterministic.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3726447==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5a3b22eb02cb bp 0x0007fffffff8 sp 0x7ffe6c94cf10 T3726447)
==3726447==The signal is caused by a READ memory access.
==3726447==Hint: address points to the zero page.
#0 0x5a3b22eb02cb in njs_scope_valid_value /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10
#1 0x5a3b22eb02cb in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:868:9
#2 0x5a3b22f15138 in njs_function_lambda_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:610:11
#3 0x5a3b22f14bb3 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:686:16
#4 0x5a3b22eb5daa in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1451:15
#5 0x5a3b22f30b54 in njs_await_fulfilled /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_async.c:91:11
#6 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
#7 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
#8 0x5a3b22f14ac7 in njs_function_call2 /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:515:12
#9 0x5a3b22f2be90 in njs_function_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.h:164:12
#10 0x5a3b22f2be90 in njs_promise_reaction_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_promise.c:1098:15
#11 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
#12 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
#13 0x5a3b22ea674d in njs_vm_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:599:12
#14 0x5a3b22ea674d in njs_vm_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:583:12
#15 0x5a3b22ea674d in njs_vm_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:690:11
#16 0x5a3b22e9c8a7 in njs_engine_njs_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:1399:12
#17 0x5a3b22e9bb4d in njs_process_script /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3541:19
#18 0x5a3b22e9b8a4 in njs_process_file /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3501:11
#19 0x5a3b22e9aecf in main /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli.c:149:18
#20 0x7032a8629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#21 0x7032a8629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#22 0x5a3b22e71324 in _start (/home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli+0x18324) (BuildId: 3d2f757dce7d42751a15759500ec6c91c5f77630)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10 in njs_scope_valid_value
==3726447==ABORTING
Credit
Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment