Headline
CVE-2022-22893: Stack-overflow in vm_loop.lto_priv.304 of vm.c · Issue #4901 · jerryscript-project/jerryscript
Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack-overflow in vm_loop.lto_priv.304 of vm.c #4901
Closed
hope-fly opened this issue
Dec 13, 2021
· 0 comments · Fixed by #4945
Assignees
Comments
JerryScript revision
Commit: 42523bd6
Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --strip=off --system-allocator=on --logging=on --linker-flag=-fuse-ld=gold --error-messages=on --line-info=on --stack-limit=10
Test case
function JSEtest() { new JSEtest(); }
try { JSEtest(); } catch (e) { print(e); }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ASAN:DEADLYSIGNAL
==78723==ERROR: AddressSanitizer: stack-overflow on address 0xff0d8f90 (pc 0x566a456c bp 0xff0d95d8 sp 0xff0d8f90 T0) #0 0x566a456b in vm_loop.lto_priv.304 /root/jerryscript/jerry-core/vm/vm.c:975 #1 0x56929645 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5260 #2 0x5692e592 in vm_run /root/jerryscript/jerry-core/vm/vm.c:5363 #3 0x5674524e in ecma_op_function_call_simple.lto_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203 #4 0x567e8c9c in ecma_op_function_construct_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533 #5 0x567e8c9c in ecma_op_function_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769 #6 0x5692995a in opfunc_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844 #7 0x5692995a in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5287 #…
#......
#368 0x5692e592 in vm\_run /root/jerryscript/jerry-core/vm/vm.c:5363
#369 0x5674524e in ecma\_op\_function\_call\_simple.lto\_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
#370 0x567e8c9c in ecma\_op\_function\_construct\_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533
#371 0x567e8c9c in ecma\_op\_function\_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769
#372 0x5692995a in opfunc\_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844
#373 0x5692995a in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5287
SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/vm/vm.c:975 in vm_loop.lto_priv.304 ==78723==ABORTING
Credits: Found by OWL337 team.
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue
Dec 22, 2021
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue
Dec 22, 2021
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue
Jan 4, 2022
… objects
This patch fixes jerryscript-project#4901
JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru [email protected]
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue
Jan 4, 2022
… objects
This patch fixes jerryscript-project#4901
JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru [email protected]
dbatyai pushed a commit that referenced this issue
Jan 10, 2022
… objects (#4945)
This patch fixes #4901
JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru [email protected]