Headline
CVE-2023-31906: heap-buffer-overflow in lexer_compare_identifier_to_chars · Issue #5066 · jerryscript-project/jerryscript
Jerryscript 3.0.0(commit 1a2c047) was discovered to contain a heap-buffer-overflow via the component lexer_compare_identifier_to_chars at /jerry-core/parser/js/js-lexer.c.
$ ./jerryscript/build/bin/jerry poc1.js
=================================================================
==3572149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5500959 at pc 0x0839f1a4 bp 0xffbc0428 sp 0xffbc0420
READ of size 1 at 0xf5500959 thread T0
#0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
#1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
#2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
#3 0x83a2c8c in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:701:9
#4 0x83a2c8c in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
#5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
#6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
#8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
#9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
#10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
#11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#13 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)
0xf5500959 is located 0 bytes to the right of 25-byte region [0xf5500940,0xf5500959)
allocated by thread T0 here:
#0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
#1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
#2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
#3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#5 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
0x3eaa00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa00e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa00f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eaa0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eaa0120: fa fa 00 00 04 fa fa fa 00 00 00[01]fa fa 00 00
0x3eaa0130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
0x3eaa0140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
0x3eaa0150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x3eaa0160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x3eaa0170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3572149==ABORTING
$ ./jerryscript/build/bin/jerry poc2.js
=================================================================
==3572558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf540095a at pc 0x0839f1a4 bp 0xffe49808 sp 0xffe49800
READ of size 1 at 0xf540095a thread T0
#0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
#1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
#2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
#3 0x83a2edb in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:728:9
#4 0x83a2edb in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
#5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
#6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
#8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
#9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
#10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
#11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#13 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)
0xf540095a is located 0 bytes to the right of 26-byte region [0xf5400940,0xf540095a)
allocated by thread T0 here:
#0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
#1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
#2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
#3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
#4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
#5 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
0x3ea800d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea80120: fa fa 00 00 04 fa fa fa 00 00 00[02]fa fa 00 00
0x3ea80130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
0x3ea80140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
0x3ea80150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x3ea80160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x3ea80170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3572558==ABORTING