953116 - ASan heap-buffer-overflow [@ js::HeapSlot::init] through js::NewDenseCopiedArrayWithTemplate with RegExp

Status: RESOLVED DUPLICATE of bug 952984

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase shows a heap-buffer-overflow on mozilla-central revision cd3e9359fd64 (run with --fuzzing-safe):


function inSection(x) {}
gczeal(9,2)
var g1 = newGlobal();
var g2 = newGlobal();
try {
var dbg = VERSION;
} catch(exc0) {}
var UBound = 0;
var actual = '';
var actualvalues = [];
var obj = {};
status = inSection(2);
actual = obj.toSource();
addThis();
function addThis() {
  actualvalues[UBound] = sortThis(actual);
}
function sortThis(sList) {
  sList = compactThis(sList);
  sList = stripParens(sList);
  sList = stripBraces(sList);
}
function compactThis(text) {
  var charCode = 0;
  var ret = '';
  for (var i=0; i<text.length; i++)   {
    if (!isWhiteSpace(charCode))
      ret += text.charAt(i);
  }
  return ret;
}
function isWhiteSpace(charCode) {
}
function stripParens(text) {
  var arr = text.match(/^\((.*)\)$/);
    return arr[1];
}
function stripBraces(text) {
  var arr = text.match(/^\{(.*)\}$/);
}

Comment 1

[Christian Holler (:decoder)]

Here's a shortened ASan trace:

==27658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000019020 at pc 0xe9e808 bp 0x7fffc6b65bd0 sp 0x7fffc6b65bc8
WRITE of size 8 at 0x606000019020 thread T0
    #0 0xe9e807 in js::HeapSlot::init(JSRuntime*, JSObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&) js/src/gc/Barrier.h:893
    #1 0xe9e807 in js::ObjectImpl::initializeSlotRange(unsigned int, unsigned int) js/src/vm/ObjectImpl.cpp:261
    #2 0x105ff26 in JSObject::createArray(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>, unsigned int) js/src/jsobjinlines.h:564
    #3 0x104d537 in js::NewDenseCopiedArrayWithTemplate(JSContext*, unsigned int, JS::Value const*, JSObject*) js/src/jsarray.cpp:3313:35
    #4 0x102f793 in js::CreateRegExpMatchResult(JSContext*, JS::Handle<JSString*>, char16_t const*, unsigned long, js::MatchPairs&, JS::MutableHandle<JS::Value>) js/src/builtin/RegExp.cpp:71
    #5 0xd9d7b2 in DoMatchLocal(JSContext*, JS::CallArgs, js::RegExpStatics*, JS::Handle<JSLinearString*>, js::RegExpShared&) js/src/jsstr.cpp:1839
    #6 0xd9d7b2 in js::str_match(JSContext*, unsigned int, JS::Value*) js/src/jsstr.cpp:2012
    #7 0xe89fa1 in JSFunction::native() const js/src/jscntxtinlines.h:220
0x606000019020 is located 0 bytes to the right of 64-byte region [0x606000018fe0,0x606000019020)
allocated by thread T0 here:
    #0 0x4c4eb5 in malloc compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x105fa49 in js_malloc(unsigned long) js/src/opt64asan/dist/include/js/Utility.h:144
    #2 0x105fa49 in js::MallocProvider<js::ThreadSafeContext>::malloc_(unsigned long) js/src/vm/Runtime.h:613
    #3 0x105fa49 in js::HeapSlot* js::MallocProvider<js::ThreadSafeContext>::pod_malloc<js::HeapSlot>(unsigned long) js/src/vm/Runtime.h:665
    #4 0x105fa49 in JSObject::createArray(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>, unsigned int) js/src/jsobjinlines.h:537
    #5 0x183c7f21f (+0xf3c8821f)


Looking at the blame for jsarray.cpp I assume this could be related to

Author:	Hannes Verschore   Thu Dec 12 16:43:52 2013
Bug 879402 - Use template object to faster set the input and index properties on CreateRegExpMatchResult, r=bhackett

Needinfo from Hannes :)

Comment 2

[Christian Holler (:decoder)]

Possibly a dup to 952984.

Comment 3

[Hannes Verschore [:h4writer]]

I can't reproduce the issue locally. Would it be possible to test the patch in bug 952984 and see if it fixes it?

Comment 4

[Christian Holler (:decoder)]

Doesn't reproduce anymore now that bug 952984 has landed, marking as duplicate.