Headline
CVE-2023-31907: heap-buffer-overflow in scanner_literal_is_created · Issue #5073 · jerryscript-project/jerryscript
Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via the component scanner_literal_is_created at /jerry-core/parser/js/js-scanner-util.c.
$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==3080358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf510068c at pc 0x566887dc bp 0xfff81e68 sp 0xfff81e58
READ of size 2 at 0xf510068c thread T0
#0 0x566887db in scanner_literal_is_created ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2922
#1 0x566f8265 in parser_parse_var_statement ./jerryscript/jerry-core/parser/js/js-parser-statm.c:523
#2 0x566fda21 in parser_parse_statements ./jerryscript/jerry-core/parser/js/js-parser-statm.c:3021
#3 0x5667eb25 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2280
#4 0x566113cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
#5 0x56611631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
#6 0x56706644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
#7 0x56706701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
#8 0x56609d04 in main ./jerryscript/jerry-main/main-desktop.c:156
#9 0xf7627ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#10 0x5660cfb4 in _start (./jerryscript/build/bin/jerry+0x12fb4)
0xf510068c is located 4 bytes to the left of 8-byte region [0xf5100690,0xf5100698)
allocated by thread T0 here:
#0 0xf7a10817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x5660cae4 in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x56671d8d in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x566f25ab in parser_malloc ./jerryscript/jerry-core/parser/js/js-parser-mem.c:43
#4 0x56686c95 in scanner_create_variables ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2341
#5 0x5667eae1 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2277
#6 0x566113cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
#7 0x56611631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
#8 0x56706644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
#9 0x56706701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
#10 0x56609d04 in main ./jerryscript/jerry-main/main-desktop.c:156
#11 0xf7627ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2922 in scanner_literal_is_created
Shadow bytes around the buggy address:
0x3ea20080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200c0: fa fa fa fa fa fa 05 fa fa fa 05 fa fa fa fd fd
=>0x3ea200d0: fa[fa]00 fa fa fa 00 04 fa fa fd fd fa fa fd fd
0x3ea200e0: fa fa fd fd fa fa 00 07 fa fa 00 06 fa fa 00 03
0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3080358==ABORTING
ICE: Assertion 'scope_stack_p > context_p->scope_stack_p' failed at ./jerryscript/jerry-core/parser/js/js-scanner-util.c(scanner_literal_is_created):2920.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted