Samsung/escargot

Null pointer dereference in Escargot::NativeFunctionObject::processNativeFunctionCall

Ye0nny opened this issue · 1 comments

Ye0nny commented

Escargot

  • OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
  • Revision : 023b7ea

Build Steps

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug
Null pointer dereference

Test case

testcase 

for ( var a = 0 ; a < 128 ; a ++ ) { 
	Object. getPrototypeOf ( 
		function * func0 ( f,... a ) { 
			g. apply ( null, [ a ] ) ; yield * ( this, a ) ; 
		} 
	) ( ). next ( ) ; 
}

// poc.js
Object. getPrototypeOf ( 
	function * func0 ( ) { } 
) ( )

Execution steps & Output

$ ./escargot poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==992499==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fff438dbe10 sp 0x7fff438dbbe8 T0)
==992499==Hint: pc points to the zero page.
==992499==The signal is caused by a READ memory access.
==992499==Hint: address points to the zero page.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==992499==ABORTING

Backtrace

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055555591c90e in Escargot::NativeFunctionObject::processNativeFunctionCall<false, true> (this=0xa71b0, state=..., receiverSrc=..., argc=0, argv=0x7fffffffd970, newTarget=...) at src/runtime/FunctionObjectInlines.h:312
#2  0x000055555591c438 in Escargot::NativeFunctionObject::call (this=0xa71b0, state=..., thisValue=..., argc=0, argv=0x7fffffffd970) at src/runtime/NativeFunctionObject.cpp:78
#3  0x000055555571bea7 in Escargot::Interpreter::interpret (state=0x7fffffffd9b0, byteCodeBlock=0xd7f50, programCounter=93825000380232, registerFile=0x7fffffffd970) at src/interpreter/ByteCodeInterpreter.cpp:766
#4  0x00005555557db35f in Escargot::Script::execute (this=0x5a070, state=..., isExecuteOnEvalFunction=false, inStrictMode=false) at src/parser/Script.cpp:499
#5  0x0000555555643544 in Escargot::ScriptRef::execute (this=0x5a070, state=0x7fffffffde40) at src/api/EscargotPublic.cpp:4706
#6  0x00005555559a706d in <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::operator()(Escargot::ExecutionStateRef *, Escargot::ScriptRef *) const (__closure=0x0, state=0x7fffffffde40, script=0x5a070) at src/shell/Shell.cpp:785
#7  0x00005555559a7098 in <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *) () at src/shell/Shell.cpp:786
#8  0x00005555559ac40e in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&> (
    f=@0x7fffffffdd48: 0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.h:521
#9  0x00005555559abec6 in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&> (
    f=@0x7fffffffdd48: 0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:510
#10 0x00005555559ab742 in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<2ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&> (
    f=@0x7fffffffdd48: 0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:510
#11 0x00005555559aadd5 in Escargot::EvaluatorUtil::applyTupleIntoArgumentsOfVariadicTemplateFunction<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&> (
    f=@0x7fffffffdd48: 0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:531
#12 0x00005555559aa0a7 in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::operator()(Escargot::ExecutionStateRef*, void*, void*) const (this=0x0,
    state=0x7fffffffde40, tuplePtr=0x7fffffffdfc0, fnPtr=0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.h:612
#13 0x00005555559aa0ee in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*) ()
    at src/api/EscargotPublic.h:606
#14 0x0000555555641896 in Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::operator()(Escargot::ExecutionState &, void *) const (__closure=0x0, state=..., data=0x7fffffffdee0) at src/api/EscargotPublic.cpp:1087
#15 0x00005555556418d0 in Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::_FUN(Escargot::ExecutionState &, void *) () at src/api/EscargotPublic.cpp:1088
#16 0x0000555555958d08 in Escargot::SandBox::run (this=0x7fffffffdf30, scriptRunner=0x5555556418a7 <Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::_FUN(Escargot::ExecutionState &, void *)>, data=0x7fffffffdee0) at src/runtime/SandBox.cpp:111
#17 0x00005555556419a0 in Escargot::Evaluator::executeFunction (ctx=0xa3af0,
    runner=0x5555559aa0bd <Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*)>, data=0x7fffffffdfc0,
    data2=0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.cpp:1089
#18 0x00005555559aa17f in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*> (p=0xa3af0, fn=0x5555559a706f <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.h:614
#19 0x00005555559a92e1 in Escargot::Evaluator::execute<Escargot::ScriptRef*, evalScript(Escargot::ContextRef*, Escargot::StringRef*, Escargot::StringRef*, bool, bool)::<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> >(Escargot::ContextRef *, <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> &&) (ctx=0xa3af0, closure=...)
    at src/api/EscargotPublic.h:585
#20 0x00005555559a7375 in evalScript (context=0xa3af0, source=0xd4f70, srcName=0x7a070, shouldPrintScriptResult=false, isModule=false) at src/shell/Shell.cpp:787
#21 0x00005555559a8765 in main (argc=2, argv=0x7fffffffe318) at src/shell/Shell.cpp:1138

when executed in release mode

Output

Segmentation fault

Expected behavior

poc.js:3: TypeError: Object.getPrototypeOf(...) is not a function
) ( )
  ^
TypeError: Object.getPrototypeOf(...) is not a function
    at poc.js:3:3

Credits: @Ye0nny, @EJueon

clover2123 commented

Fixed by #1328 Thanks for your reporting!