Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free /quickjs/./quickjs.h:671:21 in JS_DupValue #283

Open
Qbtly opened this issue Apr 24, 2024 · 0 comments · May be fixed by #303
Open

heap-use-after-free /quickjs/./quickjs.h:671:21 in JS_DupValue #283

Qbtly opened this issue Apr 24, 2024 · 0 comments · May be fixed by #303

Comments

@Qbtly
Copy link

Qbtly commented Apr 24, 2024
edited
Loading

Version

3b45d15

Build platform

Ubuntu 22.04.3

Build steps
CONFIG_ASAN=y make qjs
Test case
BigFloat.parseFloat(BigDecimal(BigDecimal([])).toPrecision);
Execution steps
./qjs --bignum poc.js
Output
=================================================================
==457302==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002450 at pc 0x5616b998735d bp 0x7ffd92687ed0 sp 0x7ffd92687ec8
READ of size 4 at 0x604000002450 thread T0
    #0 0x5616b998735c in JS_DupValue /quickjs/./quickjs.h:671:21
    #1 0x5616b998735c in JS_ToInt32 /quickjs/quickjs.c:10975:38
    #2 0x5616b998735c in js_bigfloat_parseFloat /quickjs/quickjs.c:51607:9
    #3 0x5616b9749fb4 in js_call_c_function /quickjs/quickjs.c:16014:19
    #4 0x5616b97a3f63 in JS_CallInternal /quickjs/quickjs.c:16209:16
    #5 0x5616b97b31fc in JS_CallInternal /quickjs/quickjs.c:16616:27
    #6 0x5616b97dfc42 in JS_CallFree /quickjs/quickjs.c:18695:19
    #7 0x5616b97dfc42 in JS_EvalFunctionInternal /quickjs/quickjs.c:34351:19
    #8 0x5616b980931f in __JS_EvalInternal /quickjs/quickjs.c:34486:19
    #9 0x5616b97e174e in JS_EvalInternal /quickjs/quickjs.c:34504:12
    #10 0x5616b97e174e in JS_EvalThis /quickjs/quickjs.c:34535:11
    #11 0x5616b97e174e in JS_Eval /quickjs/quickjs.c:34543:12
    #12 0x5616b9746202 in eval_buf /quickjs/qjs.c:71:15
    #13 0x5616b97465a0 in eval_file /quickjs/qjs.c:103:11
    #14 0x5616b97454cf in main /quickjs/qjs.c:516:17
    #15 0x7fcbb7a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7fcbb7a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x5616b9684734 in _start (/quickjs/qjs+0x4c734) (BuildId: 7ee6713a5851a816c63761bf03890241e521e4ac)

0x604000002450 is located 0 bytes inside of 48-byte region [0x604000002450,0x604000002480)
freed by thread T0 here:
    #0 0x5616b9709eb2 in free (/quickjs/qjs+0xd1eb2) (BuildId: 7ee6713a5851a816c63761bf03890241e521e4ac)
    #1 0x5616b982d259 in js_def_free /quickjs/quickjs.c:1744:5
    #2 0x5616b976e9d5 in __JS_FreeValueRT /quickjs/quickjs.c
    #3 0x5616b97bc73a in __JS_FreeValue /quickjs/quickjs.c:5597:5
    #4 0x5616b97bc73a in JS_FreeValue /quickjs/./quickjs.h:652:13
    #5 0x5616b97bc73a in JS_CallInternal /quickjs/quickjs.c:17497:17
    #6 0x5616b97dfc42 in JS_CallFree /quickjs/quickjs.c:18695:19
    #7 0x5616b97dfc42 in JS_EvalFunctionInternal /quickjs/quickjs.c:34351:19
    #8 0x5616b980931f in __JS_EvalInternal /quickjs/quickjs.c:34486:19
    #9 0x5616b97e174e in JS_EvalInternal /quickjs/quickjs.c:34504:12
    #10 0x5616b97e174e in JS_EvalThis /quickjs/quickjs.c:34535:11
    #11 0x5616b97e174e in JS_Eval /quickjs/quickjs.c:34543:12
    #12 0x5616b9746202 in eval_buf /quickjs/qjs.c:71:15
    #13 0x5616b97465a0 in eval_file /quickjs/qjs.c:103:11
    #14 0x5616b97454cf in main /quickjs/qjs.c:516:17
    #15 0x7fcbb7a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x5616b970a15e in __interceptor_malloc (/quickjs/qjs+0xd215e) (BuildId: 7ee6713a5851a816c63761bf03890241e521e4ac)
    #1 0x5616b982d0bf in js_def_malloc /quickjs/quickjs.c:1728:11
    #2 0x5616b998d1ab in js_malloc_rt /quickjs/quickjs.c:1315:12
    #3 0x5616b998d1ab in js_malloc /quickjs/quickjs.c:1353:11
    #4 0x5616b998d1ab in JS_NewBigDecimal /quickjs/quickjs.c:12502:9
    #5 0x5616b998d1ab in JS_ToBigDecimalFree /quickjs/quickjs.c:52194:23
    #6 0x5616b9819ec6 in js_bigdecimal_constructor /quickjs/quickjs.c:52256:15
    #7 0x5616b9749fb4 in js_call_c_function /quickjs/quickjs.c:16014:19
    #8 0x5616b97a3f63 in JS_CallInternal /quickjs/quickjs.c:16209:16
    #9 0x5616b97b2823 in JS_CallInternal /quickjs/quickjs.c:16580:27
    #10 0x5616b97dfc42 in JS_CallFree /quickjs/quickjs.c:18695:19
    #11 0x5616b97dfc42 in JS_EvalFunctionInternal /quickjs/quickjs.c:34351:19
    #12 0x5616b980931f in __JS_EvalInternal /quickjs/quickjs.c:34486:19
    #13 0x5616b97e174e in JS_EvalInternal /quickjs/quickjs.c:34504:12
    #14 0x5616b97e174e in JS_EvalThis /quickjs/quickjs.c:34535:11
    #15 0x5616b97e174e in JS_Eval /quickjs/quickjs.c:34543:12
    #16 0x5616b9746202 in eval_buf /quickjs/qjs.c:71:15
    #17 0x5616b97465a0 in eval_file /quickjs/qjs.c:103:11
    #18 0x5616b97454cf in main /quickjs/qjs.c:516:17
    #19 0x7fcbb7a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /quickjs/./quickjs.h:671:21 in JS_DupValue
Shadow bytes around the buggy address:
  0x0c087fff8430: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 01 fa
  0x0c087fff8440: fa fa 00 00 00 00 01 fa fa fa fd fd fd fd fd fd
  0x0c087fff8450: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8460: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 06 fa
  0x0c087fff8470: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff8480: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fd
  0x0c087fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==457302==ABORTING
xeioex added a commit to xeioex/quickjs that referenced this issue May 17, 2024
@xeioex
Fix js_bigfloat_parseFloat()
955bb8e 
Fixes bellard#283
xeioex added a commit to xeioex/quickjs that referenced this issue May 17, 2024
@xeioex
Fix js_bigfloat_parseFloat()
6b68ab9 
Fixes bellard#283
@xeioex xeioex linked a pull request May 17, 2024 that will close this issue
Open
xeioex added a commit to xeioex/quickjs that referenced this issue May 17, 2024
@xeioex
Fix js_bigfloat_parseFloat()
327ad0d 
Fixes bellard#283, bellard#266
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix js_bigfloat_parseFloat() xeioex/quickjs
1 participant
@Qbtly