Headline

CVE-2022-22893: Stack-overflow in vm_loop.lto_priv.304 of vm.c · Issue #4901 · jerryscript-project/jerryscript

Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c.

2 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack-overflow in vm_loop.lto_priv.304 of vm.c #4901

Closed

hope-fly opened this issue

Dec 13, 2021

· 0 comments · Fixed by #4945

Assignees

@mnegyokru

Comments

@hope-fly

JerryScript revision

Commit: 42523bd6

Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --strip=off --system-allocator=on --logging=on --linker-flag=-fuse-ld=gold --error-messages=on --line-info=on --stack-limit=10

Test case

function JSEtest() { new JSEtest(); }

try { JSEtest(); } catch (e) { print(e); }

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js

ASAN:DEADLYSIGNAL

==78723==ERROR: AddressSanitizer: stack-overflow on address 0xff0d8f90 (pc 0x566a456c bp 0xff0d95d8 sp 0xff0d8f90 T0) #0 0x566a456b in vm_loop.lto_priv.304 /root/jerryscript/jerry-core/vm/vm.c:975 #1 0x56929645 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5260 #2 0x5692e592 in vm_run /root/jerryscript/jerry-core/vm/vm.c:5363 #3 0x5674524e in ecma_op_function_call_simple.lto_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203 #4 0x567e8c9c in ecma_op_function_construct_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533 #5 0x567e8c9c in ecma_op_function_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769 #6 0x5692995a in opfunc_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844 #7 0x5692995a in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5287 #…

#......
#368 0x5692e592 in vm\_run /root/jerryscript/jerry-core/vm/vm.c:5363
#369 0x5674524e in ecma\_op\_function\_call\_simple.lto\_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
#370 0x567e8c9c in ecma\_op\_function\_construct\_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533
#371 0x567e8c9c in ecma\_op\_function\_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769
#372 0x5692995a in opfunc\_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844
#373 0x5692995a in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5287

SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/vm/vm.c:975 in vm_loop.lto_priv.304 ==78723==ABORTING

Credits: Found by OWL337 team.

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue

Dec 22, 2021

@mnegyokru