Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in ecma_builtin_function_prototype_object_apply #2182

Closed
renatahodovan opened this issue Jan 30, 2018 · 0 comments
Closed

heap-buffer-overflow in ecma_builtin_function_prototype_object_apply #2182

renatahodovan opened this issue Jan 30, 2018 · 0 comments
Labels
bug Undesired behaviour

Comments

@renatahodovan
Copy link
Contributor

Jerry version:
Checked revision: 918eb22a
Build command: ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --jerry-libc=off --static-link=off --strip=off --system-allocator=on --linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
OS:
Ubuntu 17.10
Test case:
function applyTest ( x , y , z ) { } 
applyTest.apply('mythis' , { length : 0x40000001 } );
Backtrace:
=================================================================
==12788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5f00554 at pc 0x0829f072 bp 0xffd6f7c8 sp 0xffd6f7bc
WRITE of size 4 at 0xf5f00554 thread T0
    #0 0x829f071 in ecma_builtin_function_prototype_object_apply jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:140:35
    #1 0x829e741 in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:41:1
    #2 0x81ecb36 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:108:1
    #3 0x81ebb55 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844:17
    #4 0x82038f2 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:342:19
    #5 0x8277f73 in opfunc_call jerryscript/jerry-core/vm/vm.c:425:24
    #6 0x825e906 in vm_execute jerryscript/jerry-core/vm/vm.c:2871:7
    #7 0x825dc14 in vm_run jerryscript/jerry-core/vm/vm.c:2951:10
    #8 0x825d0cf in vm_run_global jerryscript/jerry-core/vm/vm.c:232:28
    #9 0x817673c in jerry_run jerryscript/jerry-core/api/jerry.c:559:24
    #10 0x816ea31 in main jerryscript/jerry-main/main-unix.c:664:21
    #11 0xf7c11985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
    #12 0x806fe97 in _start (jerryscript/build/bin/jerry+0x806fe97)

0xf5f00554 is located 0 bytes to the right of 4-byte region [0xf5f00550,0xf5f00554)
allocated by thread T0 here:
    #0 0x81334b4 in malloc (jerryscript/build/bin/jerry+0x81334b4)
    #1 0x822a8f7 in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:324:10
    #2 0x822a644 in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:360:24
    #3 0x822a464 in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:406:10
    #4 0x829ee1d in ecma_builtin_function_prototype_object_apply jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:126:9
    #5 0x829e741 in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:41:1
    #6 0x81ecb36 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:108:1
    #7 0x81ebb55 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844:17
    #8 0x82038f2 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:342:19
    #9 0x8277f73 in opfunc_call jerryscript/jerry-core/vm/vm.c:425:24
    #10 0x825e906 in vm_execute jerryscript/jerry-core/vm/vm.c:2871:7
    #11 0x825dc14 in vm_run jerryscript/jerry-core/vm/vm.c:2951:10
    #12 0x825d0cf in vm_run_global jerryscript/jerry-core/vm/vm.c:232:28
    #13 0x817673c in jerry_run jerryscript/jerry-core/api/jerry.c:559:24
    #14 0x816ea31 in main jerryscript/jerry-main/main-unix.c:664:21
    #15 0xf7c11985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:140:35 in ecma_builtin_function_prototype_object_apply
Shadow bytes around the buggy address:
  0x3ebe0050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ebe00a0: fa fa fa fa fa fa 00 fa fa fa[04]fa fa fa 00 fa
  0x3ebe00b0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
  0x3ebe00c0: fa fa 00 06 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x3ebe00d0: fa fa 00 fa fa fa 00 fa fa fa 00 01 fa fa 00 01
  0x3ebe00e0: fa fa 00 00 fa fa 00 01 fa fa 00 05 fa fa 00 02
  0x3ebe00f0: fa fa 00 06 fa fa 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12788==ABORTING

Found by Fuzzinator with grammarinator.

@LaszloLango LaszloLango added the bug Undesired behaviour label Jan 31, 2018
zherczeg added a commit to zherczeg/jerryscript that referenced this issue Jan 31, 2018
@zherczeg
Limit maximum number of arguments for apply().
be1834b 
The length*sizeof(ecma_value_t) may overflow on 32 bit systems which
cause a memory corruption when the values are filled.

Fixes jerryscript-project#2182.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]
@zherczeg zherczeg mentioned this issue Jan 31, 2018
Merged
zherczeg added a commit to zherczeg/jerryscript that referenced this issue Feb 1, 2018
@zherczeg
Limit maximum number of arguments for apply().
1c17fe2 
The length*sizeof(ecma_value_t) may overflow on 32 bit systems which
cause a memory corruption when the values are filled.

Fixes jerryscript-project#2182.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]
dbatyai pushed a commit that referenced this issue Feb 1, 2018
@zherczeg @dbatyai
Limit maximum number of arguments for apply(). (#2183)
36051ec 
The length*sizeof(ecma_value_t) may overflow on 32 bit systems which
cause a memory corruption when the values are filled.

Fixes #2182.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@renatahodovan @LaszloLango