heap-buffer-overflow in ecma_op_container_iterator_next

[renatahodovan]

JerryScript revision

2b8c428

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset

Test case

var str = new Map()
var iterator = str[ Symbol.iterator ]()
iterator.next.call({ })

Backtrace

=================================================================
==27354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5200084 at pc 0x566b9653 bp 0xffb19e08 sp 0xffb19df8
READ of size 4 at 0xf5200084 thread T0
    #0 0x566b9652 in ecma_op_container_iterator_next jerryscript/jerry-core/ecma/operations/ecma-container-object.c:707
    #1 0x56650e97 in ecma_builtin_map_iterator_prototype_object_next jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-map-iterator-prototype.c:58
    #2 0x56650e50 in ecma_builtin_map_iterator_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-map-iterator-prototype.inc.h:30
    #3 0x566aeb92 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
    #4 0x566aedf3 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
    #5 0x566bfca4 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:727
    #6 0x56648be3 in ecma_builtin_function_prototype_object_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:219
    #7 0x566484e9 in ecma_builtin_function_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:42
    #8 0x566aeb92 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
    #9 0x566aedf3 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
    #10 0x566bfca4 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:727
    #11 0x5667296b in opfunc_call jerryscript/jerry-core/vm/vm.c:572
    #12 0x56683683 in vm_execute jerryscript/jerry-core/vm/vm.c:3574
    #13 0x56683f86 in vm_run jerryscript/jerry-core/vm/vm.c:3694
    #14 0x56671c14 in vm_run_global jerryscript/jerry-core/vm/vm.c:273
    #15 0x566cd51a in jerry_run jerryscript/jerry-core/api/jerry.c:550
    #16 0x566c9f9c in main jerryscript/jerry-main/main-unix.c:742
    #17 0xf77a0e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
    #18 0x565f9160  (jerryscript/build_gcc_asan_es2015/bin/jerry+0x16160)

0xf5200084 is located 4 bytes to the right of 16-byte region [0xf5200070,0xf5200080)
allocated by thread T0 here:
    #0 0xf7a67f34 in malloc (/usr/lib32/libasan.so.4+0xe5f34)
    #1 0x566a061f in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:293
    #2 0x566a06ef in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:327
    #3 0x566a07c4 in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:373
    #4 0x566a0ba5 in jmem_pools_alloc jerryscript/jerry-core/jmem/jmem-poolman.c:104
    #5 0x5668406a in ecma_alloc_object jerryscript/jerry-core/ecma/base/ecma-alloc.c:84
    #6 0x566efeff in ecma_create_object jerryscript/jerry-core/ecma/base/ecma-helpers.c:85
    #7 0x566760d1 in vm_loop jerryscript/jerry-core/vm/vm.c:1185
    #8 0x56683623 in vm_execute jerryscript/jerry-core/vm/vm.c:3568
    #9 0x56683f86 in vm_run jerryscript/jerry-core/vm/vm.c:3694
    #10 0x56671c14 in vm_run_global jerryscript/jerry-core/vm/vm.c:273
    #11 0x566cd51a in jerry_run jerryscript/jerry-core/api/jerry.c:550
    #12 0x566c9f9c in main jerryscript/jerry-main/main-unix.c:742
    #13 0xf77a0e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/ecma/operations/ecma-container-object.c:707 in ecma_op_container_iterator_next
Shadow bytes around the buggy address:
  0x3ea3ffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea3ffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea3ffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea3fff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ea40000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x3ea40010:[fa]fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
  0x3ea40020: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 01
  0x3ea40030: fa fa 00 02 fa fa 00 03 fa fa 00 00 fa fa 00 03
  0x3ea40040: fa fa 00 01 fa fa 00 03 fa fa 00 00 fa fa 00 02
  0x3ea40050: fa fa 00 01 fa fa 00 02 fa fa 00 00 fa fa 00 01
  0x3ea40060: fa fa 00 01 fa fa 00 03 fa fa 00 00 fa fa 00 01
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27354==ABORTING

^{Found by Fuzzinator with grammarinator.}