SEGV on unknown address

ZQ-Struggle commented 2 years ago

Write on an unknown address bug report

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3398899==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0004012a12ec (pc 0x00000043e2da bp 0x000000000249 sp 0x7ffcac86a170 T3398899)
==3398899==The signal is caused by a WRITE memory access.
    #0 0x43e2da in JS_GetOwnPropertyNamesInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:7581:34
    #1 0x491163 in JS_CopyDataProperties /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:15670:9
    #2 0x459514 in JS_CallInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:17909:21
    #3 0x44d704 in JS_CallInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:16643:27
    #4 0x460458 in JS_CallFree /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:18723:19
    #5 0x460458 in JS_EvalFunctionInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33523:19
    #6 0x478d8e in __JS_EvalInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33677:19
    #7 0x4607c7 in JS_EvalInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33695:12
    #8 0x4607c7 in JS_EvalThis /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33726:11
    #9 0x4607c7 in JS_Eval /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33734:12
    #10 0x42c81a in eval_buf /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:72:15
    #11 0x42c91d in eval_file /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:104:11
    #12 0x42bf4d in main /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:685:15
    #13 0x7f03c61a20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x409b4d in _start (/home/browser/chijin_workspace/js_engine/quickjs_revision/qjs+0x409b4d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:7581:34 in JS_GetOwnPropertyNamesInternal
==3398899==ABORTING

The reproduce js code is shown in follow:

function placeholder(){}
function main() {
    function v0() {}
    function v1(v2,v3) {}
    const v4 = -Infinity;
    const v5 = [v1,v1,v1];
    const v8 = new Int8Array(2147483647);
    v8[v5] = 834287175n;
    const v12 = v5.constructor;
    const v13 = {"b":v12, "length":v1, "ownKeys":v0, "toString":v4, "valueOf":568634645, ...v8, ...v12, ...-829933.0843735135, ...v1, ...-829933.0843735135};
}
main();

The code is generated by a js engine fuzzer. This vulnerability may be exploited to cause rce.

chqrlie commented 2 years ago

The bug is in the JS_GetOwnPropertyNamesInternal function: we use max_int in

atom_count = num_keys_count + str_keys_count + sym_keys_count + exotic_keys_count;
/* avoid allocating 0 bytes */
tab_atom = js_malloc(ctx, sizeof(tab_atom[0]) * max_int(atom_count, 1));

atom_count is greater than INT_MAX so the size allocated for the property names is just 1, leading to a segmentation fault when storing the atoms.

There are multiple instances of similar bugs elsewhere when the number of properties potentially exceed INT_MAX. I am scanning the code to fix these and will post an updated version later this week.

Chqrlie.

chqrlie commented 8 months ago

This bug will be fixed shortly, along with other similar issues caused by arithmetic overflow computing allocation sizes and such.

bellard / quickjs

SEGV on unknown address #111

The reproduce js code is shown in follow: