Skip to content

heap-buffer-overflow in lexer_compare_identifier_to_chars #5066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ye0nny opened this issue Apr 8, 2023 · 0 comments · May be fixed by #5228
Open

heap-buffer-overflow in lexer_compare_identifier_to_chars #5066

Ye0nny opened this issue Apr 8, 2023 · 0 comments · May be fixed by #5228
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer

Comments

@Ye0nny
Copy link

Ye0nny commented Apr 8, 2023

JerryScript revision

Commit: 1a2c047
Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
// poc1.js
class C {#static async''
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc1.js
=================================================================
==3572149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5500959 at pc 0x0839f1a4 bp 0xffbc0428 sp 0xffbc0420
READ of size 1 at 0xf5500959 thread T0
    #0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
    #1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
    #2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
    #3 0x83a2c8c in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:701:9
    #4 0x83a2c8c in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
    #5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
    #6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
    #7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
    #8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
    #9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
    #10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
    #11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #13 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)

0xf5500959 is located 0 bytes to the right of 25-byte region [0xf5500940,0xf5500959)
allocated by thread T0 here:
    #0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
    #1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
    #2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
    #3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #5 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
  0x3eaa00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa00e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa00f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eaa0120: fa fa 00 00 04 fa fa fa 00 00 00[01]fa fa 00 00
  0x3eaa0130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
  0x3eaa0140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
  0x3eaa0150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x3eaa0160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x3eaa0170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3572149==ABORTING
Test case+
// poc2.js
class C {#static async*''
Execution steps & Output+
$ ./jerryscript/build/bin/jerry poc2.js
=================================================================
==3572558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf540095a at pc 0x0839f1a4 bp 0xffe49808 sp 0xffe49800
READ of size 1 at 0xf540095a thread T0
    #0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
    #1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
    #2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
    #3 0x83a2edb in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:728:9
    #4 0x83a2edb in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
    #5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
    #6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
    #7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
    #8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
    #9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
    #10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
    #11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #13 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)

0xf540095a is located 0 bytes to the right of 26-byte region [0xf5400940,0xf540095a)
allocated by thread T0 here:
    #0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
    #1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
    #2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
    #3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #5 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
  0x3ea800d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea800e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea800f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea80120: fa fa 00 00 04 fa fa fa 00 00 00[02]fa fa 00 00
  0x3ea80130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
  0x3ea80140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
  0x3ea80150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x3ea80160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x3ea80170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3572558==ABORTING

Credits:
@Ye0nny, @EJueon of the seclab-yonsei.
@LaszloLango LaszloLango added bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer labels Nov 22, 2024
@happy-boy-maker happy-boy-maker linked a pull request May 20, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour fuzzing Related to fuzz testing of the engine lexer Related to the tokenizer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix heap-buffer-overflow in lexer_compare_identifier_to_char happy-boy-maker/jerryscript
2 participants
@LaszloLango @Ye0nny