search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.96k stars 673 forks source link

SEGV ./jerry-core/ecma/base/ecma-helpers.c:238:58 #5101

Closed gandalf4a closed 8 months ago

gandalf4a commented 1 year ago
JerryScript revision
$ git show
commit a588e4966175a190ec6350b2a3689d30ed017ec9 (HEAD -> master, origin/master, origin/HEAD)
Author: Máté Tokodi <tokodi.mate.24@gmail.com>
Date:   Wed Sep 20 15:38:30 2023 +0200
Build & Execution platform
$ uname -a
Linux user-AYA-NEO-FOUNDER 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Build steps
export CC=clang
python tools/build.py --compile-flag=-fsanitize-coverage=trace-pc-guard --compile-flag="-fsanitize=address -g" --profile=es.next --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --stack-limit=15 --compile-flag=-Werror --compile-flag=-Wincompatible-pointer-types --compile-flag=-Wno-strict-prototypes
Test case

the pocfile.js

async function f0(a1, a2) {
    function f6(a7, a8, a9, ...a10) {
        return f0;
    }
    var o11 = {
        "get": f0,
    };
    var v12 = f0();
    v12.__proto__ = f0;
    async function f13(a14, a15) {
        ("h").matchAll(a14);
        return v12;
    }
    f13(v12);
    var v19 = new Proxy(f6, o11);
    f0.__proto__ = v19;
    f0["F"](h);
    return f0;
}
f0(f0, f0);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// ARGS: /home/user/jerryscript/build/bin/jerry --reprl-fuzzilli
// EXECUTION TIME: 129ms
Execution steps
./build/bin/jerry pocfile.js
Output

asan report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4145220==ERROR: AddressSanitizer: SEGV on unknown address 0x000001632228 (pc 0x0000004fa98a bp 0x7ffd146d3570 sp 0x7ffd146d3450 T0)
==4145220==The signal is caused by a READ memory access.
    #0 0x4fa98a in ecma_get_object_type /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238:58
    #1 0x530b2b in ecma_op_object_get_own_property_descriptor /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1806:7
    #2 0x53742e in ecma_proxy_object_get /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-proxy-object.c:1185:25
    #3 0x5bafa5 in ecma_builtin_string_prototype_object_match_all /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:384:32
    #4 0x5bafa5 in ecma_builtin_string_prototype_dispatch_routine /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1397:12
    #5 0x50b96c in ecma_builtin_dispatch_routine /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460:10
    #6 0x50b96c in ecma_builtin_dispatch_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489:12
    #7 0x525d04 in ecma_op_function_call_native_built_in /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217:5
    #8 0x52548f in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411:16
    #9 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #10 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #11 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #12 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #13 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #14 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #15 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #16 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #17 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #18 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #19 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #20 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #21 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #22 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #23 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #24 0x5373ba in ecma_proxy_object_get /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-proxy-object.c:1173:30
    #25 0x58d2a9 in vm_loop /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:2959:20
    #26 0x582c82 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5211:37
    #27 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #28 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #29 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #30 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #31 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #32 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #33 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #34 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #35 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #36 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #37 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #38 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #39 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #40 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #41 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #42 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #43 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
    #44 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
    #45 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
    #46 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
    #47 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
    #48 0x581ba0 in vm_run_global /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:286:25
    #49 0x4dae6a in jerry_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/api/jerryscript.c:548:24
    #50 0x5f9127 in jerryx_source_exec_script /home/user/fuzz/jerryscript_origin/jerryscript/jerry-ext/util/sources.c:68:14
    #51 0x4d6e94 in main /home/user/fuzz/jerryscript_origin/jerryscript/jerry-main/main-desktop.c:156:20
    #52 0x7f1536429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #53 0x7f1536429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #54 0x41ee74 in _start (/home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry+0x41ee74)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238:58 in ecma_get_object_type
==4145220==ABORTING
Backtrace
$ gdb -nx -q ./jerry -ex 'r /home/user/fuzzilli-0.9.3/Targets/Jerryscript/out/crashes/program_20230514101203_40AD785C-9A14-45A0-90E3-D89516D5715C_deterministic.js'
Reading symbols from ./jerry...
Starting program: /home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry /home/user/fuzzilli-0.9.3/Targets/Jerryscript/out/crashes/program_20230514101203_40AD785C-9A14-45A0-90E3-D89516D5715C_deterministic.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004fa98a in ecma_get_object_type (object_p=object_p@entry=0x1632228) at /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238
238   return (ecma_object_type_t) (object_p->type_flags_refs & ECMA_OBJECT_TYPE_MASK);
(gdb)
Expected behavior

SEGV or crash

Credits:

@gandalf4a of PKU-Changsha Institute for Computing and Digital Economy

gandalf4a commented 8 months ago

CVE-2024-29489 has been assigned for the issues