heap-buffer-overflow in lexer_compare_identifier_to_chars
Ye0nny opened this issue · 0 comments
Ye0nny commented
JerryScript revision
Commit: 1a2c047
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
// poc1.js
class C {#static async''
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc1.js
=================================================================
==3572149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5500959 at pc 0x0839f1a4 bp 0xffbc0428 sp 0xffbc0420
READ of size 1 at 0xf5500959 thread T0
#0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
#1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
#2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
#3 0x83a2c8c in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:701:9
#4 0x83a2c8c in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
#5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
#6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
#8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
#9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
#10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
#11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#13 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)
0xf5500959 is located 0 bytes to the right of 25-byte region [0xf5500940,0xf5500959)
allocated by thread T0 here:
#0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
#1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
#2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
#3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#5 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
0x3eaa00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa00e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa00f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eaa0120: fa fa 00 00 04 fa fa fa 00 00 00[01]fa fa 00 00
0x3eaa0130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
0x3eaa0140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
0x3eaa0150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x3eaa0160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x3eaa0170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3572149==ABORTING
Test case+
// poc2.js
class C {#static async*''
Execution steps & Output+
$ ./jerryscript/build/bin/jerry poc2.js
=================================================================
==3572558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf540095a at pc 0x0839f1a4 bp 0xffe49808 sp 0xffe49800
READ of size 1 at 0xf540095a thread T0
#0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
#1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
#2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
#3 0x83a2edb in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:728:9
#4 0x83a2edb in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
#5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
#6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
#8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
#9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
#10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
#11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#13 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)
0xf540095a is located 0 bytes to the right of 26-byte region [0xf5400940,0xf540095a)
allocated by thread T0 here:
#0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
#1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
#2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
#3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#5 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
0x3ea800d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea80120: fa fa 00 00 04 fa fa fa 00 00 00[02]fa fa 00 00
0x3ea80130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
0x3ea80140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
0x3ea80150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x3ea80160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x3ea80170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3572558==ABORTING