Segmentation fault in jerry

[marckwei]

JerryScript revision

1a2c04763aba49f52b1537acd3730098c873511c

Build platform

Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)

Build steps

Describe how to build JerryScript. Give all the necessary details of the build (e.g., environment variables, command(s), profile, command line options, etc.).

E.g.:

tools/build.py --compile-flag=-fsanitize=address --compile-flag=-g

Build log

Test case

function i(a,b=eval()){eval()}
i(i("a"),eval("var a")) 

Execution platform

same as the build platform.

Execution steps

build/bin/jerry testcase.js

Output

Segmentation fault (core dumped)

Backtrace

================================================================= ==167385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x562a05bd8581 bp 0x7fffdc027800 sp 0x7fffdc027790 T0) ==167385==The signal is caused by a READ memory access. ==167385==Hint: address points to the zero page. #0 0x562a05bd8580 (/data/jerryscript/asan/bin/jerry+0xd0580) #1 0x562a05b8051c (/data/jerryscript/asan/bin/jerry+0x7851c) #2 0x562a05b9069f (/data/jerryscript/asan/bin/jerry+0x8869f) #3 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9) #4 0x562a05b6b6d8 (/data/jerryscript/asan/bin/jerry+0x636d8) #5 0x562a05bc14cd (/data/jerryscript/asan/bin/jerry+0xb94cd) #6 0x562a05bc696a (/data/jerryscript/asan/bin/jerry+0xbe96a) #7 0x562a05b9085b (/data/jerryscript/asan/bin/jerry+0x8885b) #8 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9) #9 0x562a05bf8576 (/data/jerryscript/asan/bin/jerry+0xf0576) #10 0x562a05b25dac (/data/jerryscript/asan/bin/jerry+0x1ddac) #11 0x7f32bb095082 in __libc_start_main ../csu/libc-start.c:308 #12 0x562a05b26cfd (/data/jerryscript/asan/bin/jerry+0x1ecfd)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/data/jerryscript/asan/bin/jerry+0xd0580) ==167385==ABORTING

Expected behavior

[aksdfauytv]

It doesn't crash for me. Did you give it enough RAM/stack?

[marckwei]

It doesn't crash for me. Did you give it enough RAM/stack?

To reproduce，you should use the same build args as me

[aksdfauytv]

Indeed it crashes on PC (I was testing on esp32). You should use --strip=OFF build option, you get a better backtrace:

ASAN:SIGSEGV
=================================================================
==28181==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000000423a68 bp 0x0000006eddc0 sp 0x7ffe1ba87990 T0)
    #0 0x423a67 in ecma_find_named_property /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625
    #1 0x414560 in vm_loop.lto_priv.126 /home/maciek/jerryscript/jerry-core/vm/vm.c:1445
    #2 0x4ae08f in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5211
    #3 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #4 0x4835c4 in vm_run_eval /home/maciek/jerryscript/jerry-core/vm/vm.c:374
    #5 0x4835c4 in ecma_op_eval_chars_buffer /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:93
    #6 0x4835c4 in ecma_op_eval /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:56
    #7 0x4835c4 in ecma_builtin_global_object_eval /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:109
    #8 0x4835c4 in ecma_builtin_global_dispatch_routine /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:594
    #9 0x4396d2 in ecma_builtin_dispatch_routine.isra.0 /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #10 0x4396d2 in ecma_builtin_dispatch_call /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #11 0x4396d2 in ecma_op_function_call_native_built_in /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1216
    #12 0x43c87b in ecma_op_function_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #13 0x4ae237 in ecma_op_function_validated_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #14 0x4ae237 in opfunc_call /home/maciek/jerryscript/jerry-core/vm/vm.c:757
    #15 0x4ae237 in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5217
    #16 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #17 0x411983 in vm_run_global /home/maciek/jerryscript/jerry-core/vm/vm.c:286
    #18 0x411983 in jerry_run /home/maciek/jerryscript/jerry-core/api/jerryscript.c:548
    #19 0x4054f7 in jerryx_source_exec_script /home/maciek/jerryscript/jerry-ext/util/sources.c:68
    #20 0x4054f7 in main /home/maciek/jerryscript/jerry-main/main-desktop.c:156
    #21 0x7fd447a9383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #22 0x406448 in _start (/home/maciek/jerryscript/build/bin/jerry+0x406448)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625 ecma_find_named_property
==28181==ABORTING

[aksdfauytv]

actually, if you build with debug enabled, you get an assert earlier:

ICE: Assertion 'ecma_get_lex_env_type (lex_env_p) == ECMA_LEXICAL_ENVIRONMENT_DECLARATIVE' failed at /home/maciek/jerryscript/jerry-core/vm/vm.c(vm_loop):1441.

(lex_env_p has env type ECMA_LEXICAL_ENVIRONMENT_THIS_OBJECT_BOUND)

[carnil]

CVE-2023-30406 seems to have been assigned for this issue.