1306444 - Read out-of-bounds in JSShell

Status: RESOLVED DUPLICATE of bug 1300445

(Core :: JavaScript Engine, defect)

Description

[Gustavo Grieco]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151210085006

Steps to reproduce:

Hi, 

We found a read out-of-bounds when a Javascript file is piped into JSShell. It was tested in mozilla-aurora (rev 1474249578). To reproduce: 

$ wget https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1474249578/jsshell-linux-x86_64-asan.zip
$ unzip jsshell-linux-x86_64-asan.zip
$ python -c "print '\x12'" | ./js


Actual results:

==23881==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000319c at pc 0x0000005abe4b bp 0x7fffffffcb80 sp 0x7fffffffcb78
READ of size 1 at 0x60600000319c thread T0
    #0 0x5abe4a  (/home/g/Codigo/mujs/js+0x5abe4a)
    #1 0x5aeb9d  (/home/g/Codigo/mujs/js+0x5aeb9d)
    #2 0x5aa2af  (/home/g/Codigo/mujs/js+0x5aa2af)
    #3 0x5a918e  (/home/g/Codigo/mujs/js+0x5a918e)
    #4 0x55a954  (/home/g/Codigo/mujs/js+0x55a954)
    #5 0x5163af  (/home/g/Codigo/mujs/js+0x5163af)
    #6 0x7ffff659cec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x43cc84  (/home/g/Codigo/mujs/js+0x43cc84)

0x60600000319c is located 4 bytes to the left of 64-byte region [0x6060000031a0,0x6060000031e0)
allocated by thread T0 here:
    #0 0x4d36eb  (/home/g/Codigo/mujs/js+0x4d36eb)
    #1 0x5a8ebc  (/home/g/Codigo/mujs/js+0x5a8ebc)
    #2 0x55a954  (/home/g/Codigo/mujs/js+0x55a954)
    #3 0x5163af  (/home/g/Codigo/mujs/js+0x5163af)
    #4 0x7ffff659cec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/g/Codigo/mujs/js+0x5abe4a) 
Shadow bytes around the buggy address:
  0x0c0c7fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff8630: fa fa fa[fa]00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff8640: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff8650: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8660: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8670: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff8680: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23881==ABORTING

Program received signal SIGABRT, Aborted.
0x00007ffff65b1cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o el directorio.
(gdb) bt
#0  0x00007ffff65b1cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff65b50d8 in __GI_abort () at abort.c:89
#2  0x00000000004f25e6 in __sanitizer::Abort() ()
    at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:124
#3  0x00000000004e03c5 in __sanitizer::Die() ()
    at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:147
#4  0x00000000004da282 in ~ScopedInErrorReport () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:709
#5  0x00000000004d9c31 in ReportGenericError () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:1111
#6  0x00000000004da476 in __asan_report_load1 () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:129
#7  0x00000000005abe4b in ceol () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:414
#8  0x00000000005aeb9e in clear_line () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:434
#9  h_search () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:625
#10 0x00000000005aa2b0 in emacs () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:860
#11 editinput () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:920
#12 0x00000000005a918f in readline () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:999
#13 0x000000000055a955 in GetLine () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:355
#14 ReadEvalPrintLoop () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:786
#15 Process () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:871
#16 0x00000000005163b0 in ProcessArgs () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:6751
#17 Shell () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:7143
#18 main () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:7515


Expected results:

It should not produce a read out-of-bounds.

Comment 1

[:Gijs (he/him)]

We don't ship the js shell, so this doesn't need to be sec-sensitive.

Looks like a dupe of (public) bug 1300445 to me. Jan, am I right?

Comment 2

[Jan de Mooij [:jandem]]

(In reply to :Gijs Kruitbosch from comment #1)
> Looks like a dupe of (public) bug 1300445 to me. Jan, am I right?

Yes, same 0x12 byte causing readline crashes.