bellard
SEGV on unknown address
Write on an unknown address bug report
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3398899==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0004012a12ec (pc 0x00000043e2da bp 0x000000000249 sp 0x7ffcac86a170 T3398899)
==3398899==The signal is caused by a WRITE memory access.
#0 0x43e2da in JS_GetOwnPropertyNamesInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:7581:34
#1 0x491163 in JS_CopyDataProperties /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:15670:9
#2 0x459514 in JS_CallInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:17909:21
#3 0x44d704 in JS_CallInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:16643:27
#4 0x460458 in JS_CallFree /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:18723:19
#5 0x460458 in JS_EvalFunctionInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33523:19
#6 0x478d8e in __JS_EvalInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33677:19
#7 0x4607c7 in JS_EvalInternal /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33695:12
#8 0x4607c7 in JS_EvalThis /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33726:11
#9 0x4607c7 in JS_Eval /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:33734:12
#10 0x42c81a in eval_buf /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:72:15
#11 0x42c91d in eval_file /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:104:11
#12 0x42bf4d in main /home/browser/chijin_workspace/js_engine/quickjs_revision/qjs.c:685:15
#13 0x7f03c61a20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x409b4d in _start (/home/browser/chijin_workspace/js_engine/quickjs_revision/qjs+0x409b4d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/browser/chijin_workspace/js_engine/quickjs_revision/quickjs.c:7581:34 in JS_GetOwnPropertyNamesInternal
==3398899==ABORTING
The reproduce js code is shown in follow:
function placeholder(){}
function main() {
function v0() {}
function v1(v2,v3) {}
const v4 = -Infinity;
const v5 = [v1,v1,v1];
const v8 = new Int8Array(2147483647);
v8[v5] = 834287175n;
const v12 = v5.constructor;
const v13 = {"b":v12, "length":v1, "ownKeys":v0, "toString":v4, "valueOf":568634645, ...v8, ...v12, ...-829933.0843735135, ...v1, ...-829933.0843735135};
}
main();
The code is generated by a js engine fuzzer. This vulnerability may be exploited to cause rce.
The bug is in the JS_GetOwnPropertyNamesInternal function: we use max_int in
atom_count = num_keys_count + str_keys_count + sym_keys_count + exotic_keys_count;
/* avoid allocating 0 bytes */
tab_atom = js_malloc(ctx, sizeof(tab_atom[0]) * max_int(atom_count, 1));
atom_count is greater than INT_MAX so the size allocated for the property names is just 1, leading to a segmentation fault when storing the atoms.
There are multiple instances of similar bugs elsewhere when the number of properties potentially exceed INT_MAX.
I am scanning the code to fix these and will post an updated version later this week.
Chqrlie.
This bug will be fixed shortly, along with other similar issues caused by arithmetic overflow computing allocation sizes and such.