Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in ecma_builtin_json_parse_string #2180

Closed
renatahodovan opened this issue Jan 30, 2018 · 0 comments
Closed

heap-buffer-overflow in ecma_builtin_json_parse_string #2180

renatahodovan opened this issue Jan 30, 2018 · 0 comments

Comments

@renatahodovan
Copy link
Contributor

Jerry version:
Checked revision: 918eb22a
Build command: ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --jerry-libc=off --static-link=off --strip=off --system-allocator=on --linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
OS:
Ubuntu 17.10
Test case:
JSON.parse('"' + '\\');
Backtrace:
=================================================================
==20840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5d0065a at pc 0x5665f4ca bp 0xffa22e68 sp 0xffa22e58
READ of size 1 at 0xf5d0065a thread T0
    #0 0x5665f4c9 in ecma_builtin_json_parse_string jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:164
    #1 0x566607e9 in ecma_builtin_json_parse_next_token jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:435
    #2 0x56660d80 in ecma_builtin_json_parse_value jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:550
    #3 0x56661acf in ecma_builtin_json_parse jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:822
    #4 0x5665ef92 in ecma_builtin_json_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.inc.h:26
    #5 0x566c6de5 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:135
    #6 0x566c74d1 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844
    #7 0x566d06a9 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:342
    #8 0x5667697e in opfunc_call jerryscript/jerry-core/vm/vm.c:425
    #9 0x56683328 in vm_execute jerryscript/jerry-core/vm/vm.c:2871
    #10 0x56683b6b in vm_run jerryscript/jerry-core/vm/vm.c:2951
    #11 0x56675f58 in vm_run_global jerryscript/jerry-core/vm/vm.c:232
    #12 0x566dde23 in jerry_run jerryscript/jerry-core/api/jerry.c:559
    #13 0x566da945 in main jerryscript/jerry-main/main-unix.c:664
    #14 0xf77a8985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
    #15 0x56613150  (jerryscript/build/bin/jerry+0x13150)

0xf5d0065a is located 0 bytes to the right of 10-byte region [0xf5d00650,0xf5d0065a)
allocated by thread T0 here:
    #0 0xf7a67bc4 in malloc (/usr/lib32/libasan.so.4+0xe4bc4)
    #1 0x5669fa4d in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:324
    #2 0x5669fb1a in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:360
    #3 0x5669fbef in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:406
    #4 0x56683edb in ecma_alloc_string_buffer jerryscript/jerry-core/ecma/base/ecma-alloc.c:182
    #5 0x566f7654 in ecma_append_chars_to_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:621
    #6 0x566f81d4 in ecma_concat_ecma_strings jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:738
    #7 0x5661ac4f in opfunc_addition jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:154
    #8 0x5667d3e9 in vm_loop jerryscript/jerry-core/vm/vm.c:1722
    #9 0x566832c7 in vm_execute jerryscript/jerry-core/vm/vm.c:2862
    #10 0x56683b6b in vm_run jerryscript/jerry-core/vm/vm.c:2951
    #11 0x56675f58 in vm_run_global jerryscript/jerry-core/vm/vm.c:232
    #12 0x566dde23 in jerry_run jerryscript/jerry-core/api/jerry.c:559
    #13 0x566da945 in main jerryscript/jerry-main/main-unix.c:664
    #14 0xf77a8985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:164 in ecma_builtin_json_parse_string
Shadow bytes around the buggy address:
  0x3eba0070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eba0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eba0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eba00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eba00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eba00c0: fa fa fa fa fa fa fa fa fa fa 00[02]fa fa 00 00
  0x3eba00d0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
  0x3eba00e0: fa fa 00 01 fa fa fd fa fa fa 00 05 fa fa 00 02
  0x3eba00f0: fa fa 00 06 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x3eba0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eba0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20840==ABORTING

Found by Fuzzinator with grammarinator.

DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Feb 1, 2018
Check if there are any characters left after an escape sequence
3fcf551 
Fixes jerryscript-project#2180

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
@DanielBallaSZTE DanielBallaSZTE mentioned this issue Feb 1, 2018
Merged
@renatahodovan renatahodovan mentioned this issue Feb 1, 2018
Closed
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Feb 1, 2018
Check if there are any characters left after an escape sequence
703a76a 
Fixes jerryscript-project#2180

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Feb 1, 2018
Check if there are any characters left after an escape sequence
747f374 
Fixes jerryscript-project#2180

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]
DanielBallaSZTE pushed a commit to DanielBallaSZTE/jerryscript that referenced this issue Feb 1, 2018
Fix multiple JSON.parse issues
56719e8 
Fixes jerryscript-project#2180, jerryscript-project#2192

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]
dbatyai pushed a commit that referenced this issue Feb 1, 2018
@dbatyai
Fix multiple JSON.parse issues (#2191)
c429530 
Fixes #2180, #2192

JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]
@robertsipka robertsipka mentioned this issue Feb 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@renatahodovan