Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31906: heap-buffer-overflow in lexer_compare_identifier_to_chars · Issue #5066 · jerryscript-project/jerryscript

Jerryscript 3.0.0(commit 1a2c047) was discovered to contain a heap-buffer-overflow via the component lexer_compare_identifier_to_chars at /jerry-core/parser/js/js-lexer.c.

CVE
#js
$ ./jerryscript/build/bin/jerry poc1.js
=================================================================
==3572149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5500959 at pc 0x0839f1a4 bp 0xffbc0428 sp 0xffbc0420
READ of size 1 at 0xf5500959 thread T0
    #0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
    #1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
    #2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
    #3 0x83a2c8c in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:701:9
    #4 0x83a2c8c in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
    #5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
    #6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
    #7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
    #8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
    #9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
    #10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
    #11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #13 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)

0xf5500959 is located 0 bytes to the right of 25-byte region [0xf5500940,0xf5500959)
allocated by thread T0 here:
    #0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
    #1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
    #2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
    #3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #5 0xf7bf3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
  0x3eaa00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa00e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa00f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eaa0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eaa0120: fa fa 00 00 04 fa fa fa 00 00 00[01]fa fa 00 00
  0x3eaa0130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
  0x3eaa0140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
  0x3eaa0150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x3eaa0160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x3eaa0170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3572149==ABORTING


$ ./jerryscript/build/bin/jerry poc2.js
=================================================================
==3572558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf540095a at pc 0x0839f1a4 bp 0xffe49808 sp 0xffe49800
READ of size 1 at 0xf540095a thread T0
    #0 0x839f1a3 in lexer_compare_identifier_to_chars jerryscript/jerry-core/parser/js/js-lexer.c:3297:9
    #1 0x839f4c1 in lexer_compare_identifiers jerryscript/jerry-core/parser/js/js-lexer.c
    #2 0x83b5a37 in parser_check_duplicated_private_field jerryscript/jerry-core/parser/js/js-parser-expr.c:416:9
    #3 0x83a2edb in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:728:9
    #4 0x83a2edb in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1110:27
    #5 0x83c9958 in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
    #6 0x8284a25 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280:5
    #7 0x8282c6f in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:3326:38
    #8 0x8129a7c in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:412:21
    #9 0x8129697 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:480:10
    #10 0x83ea951 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52:26
    #11 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #12 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #13 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
    #14 0x8078645 in _start (jerryscript/build/bin/jerry+0x8078645)

0xf540095a is located 0 bytes to the right of 26-byte region [0xf5400940,0xf540095a)
allocated by thread T0 here:
    #0 0x80efe65 in malloc (jerryscript/build/bin/jerry+0x80efe65)
    #1 0x83ec157 in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:72:45
    #2 0x83ea7ce in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33:28
    #3 0x83eac11 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63:26
    #4 0x812162c in main jerryscript/jerry-main/main-desktop.c:156:20
    #5 0xf7bc3ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:3297:9 in lexer_compare_identifier_to_chars
Shadow bytes around the buggy address:
  0x3ea800d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea800e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea800f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea80120: fa fa 00 00 04 fa fa fa 00 00 00[02]fa fa 00 00
  0x3ea80130: 00 fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
  0x3ea80140: 00 00 00 00 fa fa 00 00 03 fa fa fa 00 00 00 fa
  0x3ea80150: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x3ea80160: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x3ea80170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3572558==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda