Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address in jsiEvalCodeSub #97

Open
Ye0nny opened this issue Jan 14, 2024 · 0 comments
Open

SEGV on unknown address in jsiEvalCodeSub #97

Ye0nny opened this issue Jan 14, 2024 · 0 comments

Comments

@Ye0nny
Copy link

Ye0nny commented Jan 14, 2024

Jsish revision

Commit: 42c694c
Version: v3.5.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
export JSI__SANITIZE=1
make
Test case
testcase 

var r = ( ( r, a ) => { return r + " foo " + a ; } ) ( " bar ", " foo " ). indexOf ('bar') ; 
var r = [ " ", " ", " ", " ", " ", " ", true, " ",'" ', "'", " ", " J ", " k ", " _ ", " _x ", " _ " ] ; 
for ( var f in r ) 
for ( var t = 0 ; t < r. length ; t ++ ) 
	r [ t ] instanceof String ; 
r [ t ] = t >= 5? " foo " : r [ t ] + " " ;'" foobar " + " barbazar "';

// poc.js
var r = [" "];
for ( var f in r )
	r [ t ] instanceof String ;
Execution steps & Output
$ ./jsish/jsish poc.js
poc.js:2: bug: next: toq not a iter
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2159566==ERROR: AddressSanitizer: SEGV on unknown address 0x60c000018280 (pc 0x60c000018280 bp 0x7fffd6d35610 sp 0x7fffd6d34d18 T0)
==2159566==The signal is caused by a READ memory access.
==2159566==Hint: PC is at a non-executable region. Maybe a wild jump?
    #0 0x60c000018280  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==2159566==ABORTING
Backtrace
(gdb) bt
#0  0x000060c000018280 in ?? ()
#1  0x00000000007691c0 in jsiEvalCodeSub (ps=<optimized out>, opcodes=<optimized out>, scope=<optimized out>, currentScope=0x603000000160, _this=<optimized out>, vret=<optimized out>) at src/jsiEval.c:1657
#2  0x0000000000780f27 in jsi_evalcode (ps=<optimized out>, func=<optimized out>, opcodes=<optimized out>, scope=<optimized out>, fargs=<optimized out>, _this=<optimized out>, vret=<optimized out>,
    fi=<optimized out>) at src/jsiEval.c:2227
#3  0x0000000000783970 in jsi_evalStrFile (interp=<optimized out>, path=<optimized out>, str=<optimized out>, flags=<optimized out>, level=0) at src/jsiEval.c:2688
#4  0x000000000074a727 in Jsi_EvalFile (interp=0x62e000000400, fname=0x603000006610, flags=73) at src/jsiEval.c:2729
#5  0x00000000005176d6 in Jsi_Main (opts=<optimized out>) at src/jsiInterp.c:936
#6  0x0000000000defaa4 in jsi_main (argc=<optimized out>, argv=<optimized out>) at src/main.c:47
#7  0x00007ffff7c4a083 in __libc_start_main (main=0xdefc80 <main>, argc=2, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348)
    at ../csu/libc-start.c:308
#8  0x000000000042c9be in _start ()
(gdb)

when executed in release mode

Outputs
poc.js:2: bug: next: toq not a iter
Segmentation fault

Credits: @Ye0nny, @EJueon of the seclab-yonsei.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ye0nny