Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-overflow in vm_loop #3750

Closed
owl337 opened this issue May 17, 2020 · 1 comment
Closed

stack-overflow in vm_loop #3750

owl337 opened this issue May 17, 2020 · 1 comment
Labels
bug Undesired behaviour

Comments

@owl337
Copy link

owl337 commented May 17, 2020
edited by dbatyai
Loading

JerryScript revision

bd1c4df

Build platform

Ubuntu 16.04.6 LTS (Linux 4.15.0-99-generic x86_64)

Build steps
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --lto=off --error-message=on --system-allocator=on
Test case
function test_1 ()
{
 'use strict';

 Object.defineProperty (Number.prototype,
                        'getter',
                        { get : function () { ((10).getter === 10) }, configurable : true });

 assert ((10).getter === 10);
 assert (typeof ((10).getter) === 'number');

 delete Number.prototype.getter;
}

test_1 ();
Output
ASAN:SIGSEGV
=================================================================
==97962==ERROR: AddressSanitizer: stack-overflow on address 0xff3a7e74 (pc 0x080b7d3c bp 0xff3a8178 sp 0xff3a7e50 T0)
    #0 0x80b7d3b in vm_loop /home/jerryscript/jerry-core/vm/vm.c:948
    #1 0x80c2d8c in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4124
    #2 0x80c32fb in vm_run /home/jerryscript/jerry-core/vm/vm.c:4232
    #3 0x8083ff1 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:886
    #4 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
    #5 0x808a4ce in ecma_op_object_find_own /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:658
    #6 0x808a810 in ecma_op_object_get_with_receiver /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:830
    #7 0x80e0828 in ecma_op_get_value_object_base /home/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c:188
    #8 0x80b6d71 in vm_op_get_value /home/jerryscript/jerry-core/vm/vm.c:141
    #9 0x80bb462 in vm_loop /home/jerryscript/jerry-core/vm/vm.c:2155
    #10 0x80c2d8c in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4124
    .......
    #246 0x8083ff1 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:886
    #247 0x8084716 in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1085
    #248 0x808a4ce in ecma_op_object_find_own /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:658
    #249 0x808a810 in ecma_op_object_get_with_receiver /home/jerryscript/jerry-core/ecma/operations/ecma-objects.c:830
    #250 0x80e0828 in ecma_op_get_value_object_base /home/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c:188

SUMMARY: AddressSanitizer: stack-overflow /home/jerryscript/jerry-core/vm/vm.c:948 vm_loop
==97962==ABORTING

Credits: This vulnerability is detected by chong from OWL337.
@dbatyai dbatyai added the bug Undesired behaviour label May 21, 2020
@rerobika
Copy link
Member

That's an expected behavior. You can use --stack-limit option when building the engine to limit the maximum amount of stack that the engine can use. Whenever this option is enabled a RangeError is thrown for this testcase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dbatyai @rerobika @owl337