Headline
CVE-2021-41959: Unfreed float causing memory leak in ecma-regexp-object · Issue #4781 · jerryscript-project/jerryscript
JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via jerry-core/ecma/operations/ecma-regexp-object.c after RegExp, which causes a memory leak.
JerryScript revision
14ff5bf
Build platform
Ubuntu 20.04.3 LTS (Linux 5.11.0-34-generic x86_64)
Build steps
./tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \ –clean --debug --strip=off --logging=on --error-messages=on \ –compile-flag=-fsanitize=address --stack-limit=20
Test case
function testAdvanceStringIndex(lastIndex) { let exec_count = 0; let last_last_index = -1; let fake_re = { exec: () => { return exec_count++ == 0 ? [“”] : null; },
get lastIndex() {
return lastIndex;
},
set lastIndex(value) {
},
get global() {
return true;
}
};
RegExp.prototype[Symbol.match].call(fake_re, “abc”); }
testAdvanceStringIndex(0x7ffffff);
Output
ICE: Assertion ‘JERRY_CONTEXT (jmem_heap_allocated_size) == 0’ failed at /jerryscript/jerry-core/jmem/jmem-heap.c(jmem_heap_finalize):107. Error: ERR_FAILED_INTERNAL_ASSERTION Aborted (core dumped)
Backtrace
#0 __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f45b1399859 in __GI_abort () at abort.c:79 #2 0x00005574cdd6736f in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-port/default/default-fatal.c:30 #3 0x00005574cdcff841 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-core/jrt/jrt-fatals.c:63 #4 0x00005574cdcff897 in jerry_assert_fail (assertion=0x5574cdd73de8 "JERRY_CONTEXT (jmem_heap_allocated_size) == 0", file=0x5574cdd73d60 "/jerryscript/jerry-core/jmem/jmem-heap.c", function=0x5574cdd8bce0 <__func__.6665> "jmem_heap_finalize", line=107) at /jerryscript/jerry-core/jrt/jrt-fatals.c:87 #5 0x00005574cdcfe8a0 in jmem_heap_finalize () at /jerryscript/jerry-core/jmem/jmem-heap.c:107 #6 0x00005574cdcfe5d7 in jmem_finalize () at /jerryscript/jerry-core/jmem/jmem-allocator.c:170 #7 0x00005574cdca9aaf in jerry_cleanup () at /jerryscript/jerry-core/api/jerry.c:232 #8 0x00005574cdca73b4 in main (argc=2, argv=0x7ffffff6d468) at /jerryscript/jerry-main/main-jerry.c:371 #9 0x00007f45b139b0b3 in __libc_start_main (main=0x5574cdca6889 <main>, argc=2, argv=0x7ffffff6d468, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffffff6d458) at …/csu/libc-start.c:308 #10 0x00005574cdca67ce in _start ()
Expected behavior
According to our analysis, the root cause of this assertion failed is at /jerryscript/jerry-core/ecma/ecma-regexp-object.c:3497. While getting next_set_status, function ecma-op-object-put() called function ecma_make_length_value(index), which alloc a 8-bit chunk memory use as a float number if index is larger than 0x7ffffff. This chunk is not freed, causing assertion failed. To repair, ecma_make_length_value(index) should be replaced by last_index created by ecma-regexp-object.c:3496.