Skip to content

SEGV at njs/src/njs_scope.h:94:10 in njs_scope_valid_value #773

New issue
New issue
Open
Open
SEGV at njs/src/njs_scope.h:94:10 in njs_scope_valid_value#773

Description

@gandalf4a

gandalf4a
openedon Aug 15, 2024

version:

$ git show
commit 3ac496802862347c5cf8f0b6e3825163dc7bb1c9 (HEAD -> master, origin/master, origin/HEAD)
Author: Dmitry Volyntsev <[xeioex@nginx.com](mailto:xeioex@nginx.com)>
Date:   Thu Jul 25 17:28:37 2024 -0700

    Tests: adapting unsafe redirect test for QuickJS.
    
    At the moment QuickJS has no API for getting strings
    with NUL characters in the middle of the string.
    
    Instead of a NUL byte make another unsafe redirect URI.

system:

$ uname -a
Linux gandalf-ThinkPad-T14-Gen-3 6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Reproduce

njs/build/njs_fuzzilli poc_file.js

poc_file.js

const v0 = [Infinity,0.7856315572115781,-Infinity,-1000000000000.0,-1000000000.0];
async function f1(a2, a3) {
    let v4 = await a2;
    function f5(a6, a7) {
        return v4 >>>= v0;
    }
    f5();
    function f9() {
        f5 /= f5;
        return v0;
    }
    return v0;
}
f1(f1, f1);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=njs --storagePath=Targets/njs/out /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli --resume
// TARGET ARGS: /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli fuzz
// CONTRIBUTORS: NumberComputationGenerator, ArrayGenerator, ElementAssignmentGenerator, FunctionCallGenerator, TrivialFunctionGenerator, SpliceMutator, TypedArrayGenerator, OperationMutator, WellKnownPropertyStoreGenerator, CodeGenMutator, UpdateGenerator
// EXECUTION TIME: 11ms

asan report

/home/gandalf/fuzzilli/Targets/njs/out/crashes/program_20240814004355_CAD133B9-FC51-48A1-B2BC-60C73BAE045D_deterministic.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3726447==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5a3b22eb02cb bp 0x0007fffffff8 sp 0x7ffe6c94cf10 T3726447)
==3726447==The signal is caused by a READ memory access.
==3726447==Hint: address points to the zero page.
    #0 0x5a3b22eb02cb in njs_scope_valid_value /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10
    #1 0x5a3b22eb02cb in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:868:9
    #2 0x5a3b22f15138 in njs_function_lambda_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:610:11
    #3 0x5a3b22f14bb3 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:686:16
    #4 0x5a3b22eb5daa in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1451:15
    #5 0x5a3b22f30b54 in njs_await_fulfilled /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_async.c:91:11
    #6 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #7 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #8 0x5a3b22f14ac7 in njs_function_call2 /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:515:12
    #9 0x5a3b22f2be90 in njs_function_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.h:164:12
    #10 0x5a3b22f2be90 in njs_promise_reaction_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_promise.c:1098:15
    #11 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #12 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #13 0x5a3b22ea674d in njs_vm_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:599:12
    #14 0x5a3b22ea674d in njs_vm_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:583:12
    #15 0x5a3b22ea674d in njs_vm_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:690:11
    #16 0x5a3b22e9c8a7 in njs_engine_njs_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:1399:12
    #17 0x5a3b22e9bb4d in njs_process_script /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3541:19
    #18 0x5a3b22e9b8a4 in njs_process_file /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3501:11
    #19 0x5a3b22e9aecf in main /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli.c:149:18
    #20 0x7032a8629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #21 0x7032a8629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #22 0x5a3b22e71324 in _start (/home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli+0x18324) (BuildId: 3d2f757dce7d42751a15759500ec6c91c5f77630)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10 in njs_scope_valid_value
==3726447==ABORTING

Credit

Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions