search

pcmacdon / jsish

Jsi is a small, C-embeddable javascript interpreter with tightly woven Web and DB support.
https://jsish.org/
MIT License
42 stars 9 forks source link

SEGV on unknown address in jsiEvalCodeSub #97

Open Ye0nny opened 10 months ago

Ye0nny commented 10 months ago
Jsish revision

Commit: https://github.com/pcmacdon/jsish/commit/42c694c152f7f4fbee34d5e14be37d6e0d09673f Version: v3.5.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
export JSI__SANITIZE=1
make
Test case
testcase

```javascript var r = ( ( r, a ) => { return r + " foo " + a ; } ) ( " bar ", " foo " ). indexOf ('bar') ; var r = [ " ", " ", " ", " ", " ", " ", true, " ",'" ', "'", " ", " J ", " k ", " _ ", " _x ", " _ " ] ; for ( var f in r ) for ( var t = 0 ; t < r. length ; t ++ ) r [ t ] instanceof String ; r [ t ] = t >= 5? " foo " : r [ t ] + " " ;'" foobar " + " barbazar "'; ``` 

// poc.js
var r = [" "];
for ( var f in r )
    r [ t ] instanceof String ;
Execution steps & Output
$ ./jsish/jsish poc.js
poc.js:2: bug: next: toq not a iter
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2159566==ERROR: AddressSanitizer: SEGV on unknown address 0x60c000018280 (pc 0x60c000018280 bp 0x7fffd6d35610 sp 0x7fffd6d34d18 T0)
==2159566==The signal is caused by a READ memory access.
==2159566==Hint: PC is at a non-executable region. Maybe a wild jump?
    #0 0x60c000018280  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==2159566==ABORTING
Backtrace
(gdb) bt
#0  0x000060c000018280 in ?? ()
#1  0x00000000007691c0 in jsiEvalCodeSub (ps=<optimized out>, opcodes=<optimized out>, scope=<optimized out>, currentScope=0x603000000160, _this=<optimized out>, vret=<optimized out>) at src/jsiEval.c:1657
#2  0x0000000000780f27 in jsi_evalcode (ps=<optimized out>, func=<optimized out>, opcodes=<optimized out>, scope=<optimized out>, fargs=<optimized out>, _this=<optimized out>, vret=<optimized out>,
    fi=<optimized out>) at src/jsiEval.c:2227
#3  0x0000000000783970 in jsi_evalStrFile (interp=<optimized out>, path=<optimized out>, str=<optimized out>, flags=<optimized out>, level=0) at src/jsiEval.c:2688
#4  0x000000000074a727 in Jsi_EvalFile (interp=0x62e000000400, fname=0x603000006610, flags=73) at src/jsiEval.c:2729
#5  0x00000000005176d6 in Jsi_Main (opts=<optimized out>) at src/jsiInterp.c:936
#6  0x0000000000defaa4 in jsi_main (argc=<optimized out>, argv=<optimized out>) at src/main.c:47
#7  0x00007ffff7c4a083 in __libc_start_main (main=0xdefc80 <main>, argc=2, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348)
    at ../csu/libc-start.c:308
#8  0x000000000042c9be in _start ()
(gdb)

when executed in release mode

Outputs
poc.js:2: bug: next: toq not a iter
Segmentation fault

Credits: @Ye0nny, @EJueon of the seclab-yonsei.