search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.88k stars 666 forks source link

heap-buffer-overflow in scanner_is_context_needed #5092

Open Ye0nny opened 1 year ago

Ye0nny commented 1 year ago
JerryScript revision

Commit: https://github.com/jerryscript-project/jerryscript/commit/05dbbd134c3b9e2482998f267857dd3722001cd7 Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
testcase

```javascript async function n() { return 1 ; } import { nFromEvent as''throw n ( ) undefined } 1 } async function from async 1; } async function a() { var n = await 2 ; return n ; } import { n }; return n; } var r = async function() { var n = await 2; return n; }; ``` 

// poc.js
import { nFromEvent as '' }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==1326574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf510071e at pc 0x56641307 bp 0xffa4ba68 sp 0xffa4ba58
READ of size 1 at 0xf510071e thread T0
    #0 0x56641306 in scanner_is_context_needed ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101
    #1 0x56639a78 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2267
    #2 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #3 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #4 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #5 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #6 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #7 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #8 0x565c7fb4 in _start (./jerryscript/build/bin/jerry+0x12fb4)

0xf510071e is located 0 bytes to the right of 14-byte region [0xf5100710,0xf510071e)
allocated by thread T0 here:
    #0 0xf7a88817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x565c7ae4 in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254
    #2 0x5662cd8d in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291
    #3 0x5663d2bd in scanner_malloc ./jerryscript/jerry-core/parser/js/js-scanner-util.c:93
    #4 0x5663d33d in scanner_insert_info ./jerryscript/jerry-core/parser/js/js-scanner-util.c:183
    #5 0x5663f35b in scanner_pop_literal_pool ./jerryscript/jerry-core/parser/js/js-scanner-util.c:949
    #6 0x5664e18f in scanner_scan_all ./jerryscript/jerry-core/parser/js/js-scanner.c:3366
    #7 0x5663913b in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2167
    #8 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
    #9 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
    #10 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
    #11 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
    #12 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #13 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101 in scanner_is_context_needed
Shadow bytes around the buggy address:
  0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x3ea200e0: fa fa 00[06]fa fa 00 07 fa fa 00 06 fa fa 00 03
  0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1326574==ABORTING

with debugging mode(--debug)

Outputs
ICE: Assertion 'type == SCANNER_STREAM_TYPE_VAR || type == SCANNER_STREAM_TYPE_LET || type == SCANNER_STREAM_TYPE_CONST || type == SCANNER_STREAM_TYPE_FUNC || is_import' failed at ./jerryscript/jerry-core/parser/js/js-scanner-util.c(scanner_is_context_needed):2080.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted

Credits: @Ye0nny, @EJueon of the seclab-yonsei.