220357 2021-01-06 04:48:11 -0800 unexpected minimumInputSize in setupDisjunctionOffsets for regexp engine(yarr) 2021-04-06 19:27:04 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build All All RESOLVED FIXED InRadar P2 Normal --- 1 raycp msaboff bfulgham ews-feeder keith_miller msaboff product-security saam webkit-bug-importer oldest_to_newest 1717619 0 raycp 2021-01-06 04:48:11 -0800 first of all, the poc is shown as below: ``` function main() { let v30 = '4{4294967294}0' const v32 = RegExp(v30); } main(); ``` which will cause the crash in `debug` version of jsc and it won't happen in `release` version of jsc ``` $ ./WebKitBuild/Debug/bin/jsc poc.js ASSERTION FAILED: minimumInputSize != UINT_MAX ../../Source/JavaScriptCore/yarr/YarrPattern.cpp(937) : JSC::Yarr::ErrorCode JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) [1] 2098538 abort ./WebKitBuild/Debug/bin/jsc $ ./WebKitBuild/Release/bin/jsc poc.js ``` the call stack is show as below: ``` #1 0x00007ffff2236859 in __GI_abort () at abort.c:79 #2 0x00005555555d5fff in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:713 #3 0x00007ffff67430cd in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc950, disjunction=0x7fffef9afed8, initialCallFrameSize=0, initialInputPosition=0, callFrameSize=@0x7fffffffc914: 32767) at ../../Source/JavaScriptCore/yarr/YarrPattern.cpp:937 #4 0x00007ffff674318d in JSC::Yarr::YarrPatternConstructor::setupOffsets (this=0x7fffffffc950) at ../../Source/JavaScriptCore/yarr/YarrPattern.cpp:951 #5 0x00007ffff66d480c in JSC::Yarr::YarrPattern::compile (this=0x7fffffffca60, patternString=...) at ../../Source/JavaScriptCore/yarr/YarrPattern.cpp:1131 #6 0x00007ffff66d4a68 in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffca60, pattern=..., flags=..., error=@0x7fffef9fcc5a: JSC::Yarr::ErrorCode::NoError) at ../../Source/JavaScriptCore/yarr/YarrPattern.cpp:1151 #7 0x00007ffff6332ae4 in JSC::RegExp::finishCreation (this=0x7fffef9fcc48, vm=...) at ../../Source/JavaScriptCore/runtime/RegExp.cpp:170 #8 0x00007ffff6332d78 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=...) at ../../Source/JavaScriptCore/runtime/RegExp.cpp:207 #9 0x00007ffff633b707 in JSC::RegExpCache::lookupOrCreate (this=0x7fffef9d0000, patternString=..., flags=...) at ../../Source/JavaScriptCore/runtime/RegExpCache.cpp:42 #10 0x00007ffff6332dd1 in JSC::RegExp::create (vm=..., patternString=..., flags=...) at ../../Source/JavaScriptCore/runtime/RegExp.cpp:213 #11 0x00007ffff633cf59 in JSC::regExpCreate (globalObject=0x7fffaf5fa068, newTarget=..., patternArg=..., flagsArg=...) at ../../Source/JavaScriptCore/runtime/RegExpConstructor.cpp:249 #12 0x00007ffff633d540 in JSC::constructRegExp (globalObject=0x7fffaf5fa068, args=..., callee=0x7fffef9fcba8, newTarget=...) at ../../Source/JavaScriptCore/runtime/RegExpConstructor.cpp:309 #13 0x00007ffff633d77d in JSC::callRegExpConstructor (globalObject=0x7fffaf5fa068, callFrame=0x7fffffffce70) at ../../Source/JavaScriptCore/runtime/RegExpConstructor.cpp:334 #14 0x00007fffaf8ff027 in ?? () #15 0x00007fffffffcf10 in ?? () #16 0x00007ffff4dc9db1 in llint_op_call () at /home/raycp/Desktop/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1092 #17 0x0000000000000000 in ?? () ``` when i finished analysis of the bug, i found that the root cause code is in `setupDisjunctionOffsets` function belong to the yarr engine. the code caused the crash is `ASSERT(minimumInputSize != UINT_MAX)`. The regexp pattern's(`'4{4294967294}0'`) length is `0xffffffff` after setupAlternativeOffsets function call, which means `minimumInputSize` equal to `0xffffffff`. But in the assert code, it can't allow `minimumInputSize` equal to `0xffffffff`, so it goes crash. ``` // yarr/YarrPattern.cpp: 911 ErrorCode setupDisjunctionOffsets(PatternDisjunction* disjunction, unsigned initialCallFrameSize, unsigned initialInputPosition, unsigned& callFrameSize) { if (UNLIKELY(!isSafeToRecurse())) return ErrorCode::TooManyDisjunctions; if ((disjunction != m_pattern.m_body) && (disjunction->m_alternatives.size() > 1)) initialCallFrameSize += YarrStackSpaceForBackTrackInfoAlternative; unsigned minimumInputSize = UINT_MAX; unsigned maximumCallFrameSize = 0; bool hasFixedSize = true; ErrorCode error = ErrorCode::NoError; for (unsigned alt = 0; alt < disjunction->m_alternatives.size(); ++alt) { PatternAlternative* alternative = disjunction->m_alternatives[alt].get(); unsigned currentAlternativeCallFrameSize; error = setupAlternativeOffsets(alternative, initialCallFrameSize, initialInputPosition, currentAlternativeCallFrameSize); if (hasError(error)) return error; minimumInputSize = std::min(minimumInputSize, alternative->m_minimumSize); maximumCallFrameSize = std::max(maximumCallFrameSize, currentAlternativeCallFrameSize); hasFixedSize &= alternative->m_hasFixedSize; if (alternative->m_minimumSize > INT_MAX) m_pattern.m_containsUnsignedLengthPattern = true; } ASSERT(minimumInputSize != UINT_MAX); ASSERT(maximumCallFrameSize >= initialCallFrameSize); disjunction->m_hasFixedSize = hasFixedSize; disjunction->m_minimumSize = minimumInputSize; disjunction->m_callFrameSize = maximumCallFrameSize; callFrameSize = maximumCallFrameSize; return error; } ``` the `minimumInputSize` can equal to `0xffffffff` may break the assumption of `jit`, and i think it may cause serious security problem. so i report the bug 1717635 1 webkit-bug-importer 2021-01-06 06:19:19 -0800 <rdar://problem/72849845> 1717636 2 webkit-bug-importer 2021-01-06 06:21:00 -0800 <rdar://problem/72849867> 1724467 3 raycp 2021-02-01 16:45:57 -0800 hello?? 1733805 4 421660 msaboff 2021-02-26 09:31:59 -0800 Created attachment 421660 Patch 1734022 5 ews-feeder 2021-02-26 15:22:57 -0800 Committed r273594: <https://commits.webkit.org/r273594> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421660. 1734055 6 421660 keith_miller 2021-02-26 16:09:49 -0800 Comment on attachment 421660 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421660&action=review > JSTests/stress/regexp-max-size.js:36 > +function testMaxBMPRegExp() { > + let patt = '\u{1234}{4294967294}X'; > + const re = RegExp(patt, 'u'); > + return "\u{1234}\u{1234}X".match(re); > +} > + > +function testTooBigBMPRegExp() { > + let patt = '\u{1234}{4294967294}\u{4567}'; > + const re = RegExp(patt, 'u'); > + return "\u{1234}\u{1234}\u{4567}".match(re); > +} > + > +function testMaxNonBMPRegExp() { > + let patt = '\u{10234}{2147483646}\u{10100}'; > + const re = RegExp(patt, 'u'); > + return "\u{10234}\u{10234}\u{10100}".match(re); > +} > + > +function testTooBigNonBMPRegExp() { > + let patt = '\u{10234}{2147483646}\u{10100}'; > + const re = RegExp(patt, 'u'); > + return "\u{10234}\u{10234}\u{10100}".match(re); > +} > + None of these are called. 1734079 7 msaboff 2021-02-26 16:52:28 -0800 (In reply to Keith Miller from comment #6) > Comment on attachment 421660 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=421660&action=review > > > JSTests/stress/regexp-max-size.js:36 > > +function testMaxBMPRegExp() { > > + let patt = '\u{1234}{4294967294}X'; > > + const re = RegExp(patt, 'u'); > > + return "\u{1234}\u{1234}X".match(re); > > +} > > + > > +function testTooBigBMPRegExp() { > > + let patt = '\u{1234}{4294967294}\u{4567}'; > > + const re = RegExp(patt, 'u'); > > + return "\u{1234}\u{1234}\u{4567}".match(re); > > +} > > + > > +function testMaxNonBMPRegExp() { > > + let patt = '\u{10234}{2147483646}\u{10100}'; > > + const re = RegExp(patt, 'u'); > > + return "\u{10234}\u{10234}\u{10100}".match(re); > > +} > > + > > +function testTooBigNonBMPRegExp() { > > + let patt = '\u{10234}{2147483646}\u{10100}'; > > + const re = RegExp(patt, 'u'); > > + return "\u{10234}\u{10234}\u{10100}".match(re); > > +} > > + > > None of these are called. You're right. iCopy/paste error. Fixing now and will post an updated patch. 421660 2021-02-26 09:31:59 -0800 2021-02-26 16:10:01 -0800 Patch 220357.patch text/plain 4595 msaboff SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyNzM1NTkpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDIxIEBACisyMDIxLTAyLTI2ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBw bGUuY29tPgorCisgICAgICAgIHVuZXhwZWN0ZWQgbWluaW11bUlucHV0U2l6ZSBpbiBzZXR1cERp c2p1bmN0aW9uT2Zmc2V0cyBmb3IgcmVnZXhwIGVuZ2luZSh5YXJyKQorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjIwMzU3CisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTmV3IHRlc3RzIHRvIGNoZWNrIHRoZSBi b3VuZGFyeSBjb25kaXRpb25zIGZvciBvdmVyZmxvd2luZyBhIHBhdHRlcm4gaW4gYSBSZWdFeHAu CisKKyAgICAgICAgKiBzdHJlc3MvcmVnZXhwLW1heC1zaXplLmpzOiBBZGRlZC4KKyAgICAgICAg KHRlc3RNYXhSZWdFeHApOgorICAgICAgICAodGVzdFRvb0JpZ1JlZ0V4cCk6CisgICAgICAgICh0 ZXN0TWF4Qk1QUmVnRXhwKToKKyAgICAgICAgKHRlc3RUb29CaWdCTVBSZWdFeHApOgorICAgICAg ICAodGVzdE1heE5vbkJNUFJlZ0V4cCk6CisgICAgICAgICh0ZXN0VG9vQmlnTm9uQk1QUmVnRXhw KToKKyAgICAgICAgKHRlc3RBbGwpOgorCiAyMDIxLTAyLTI1ICBZdXN1a2UgU3V6dWtpICA8eXN1 enVraUBhcHBsZS5jb20+CiAKICAgICAgICAgW0pTQ10gRml4IHR5cG8gaW4gd2FzbSBlcnJvciBt ZXNzYWdlCkluZGV4OiBKU1Rlc3RzL3N0cmVzcy9yZWdleHAtbWF4LXNpemUuanMKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gSlNUZXN0cy9zdHJlc3MvcmVnZXhwLW1heC1zaXplLmpzCShub25leGlzdGVudCkKKysr IEpTVGVzdHMvc3RyZXNzL3JlZ2V4cC1tYXgtc2l6ZS5qcwkod29ya2luZyBjb3B5KQpAQCAtMCww ICsxLDYzIEBACitmdW5jdGlvbiB0ZXN0TWF4UmVnRXhwKCkgeworICAgIGxldCBwYXR0ID0gJ0F7 NDI5NDk2NzI5NH1YJzsKKyAgICBjb25zdCByZSA9IFJlZ0V4cChwYXR0KTsKKyAgICByZXR1cm4g IkFBWCIubWF0Y2gocmUpOworfQorCitmdW5jdGlvbiB0ZXN0VG9vQmlnUmVnRXhwKCkgeworICAg IGxldCBwYXR0ID0gJ0F7NDI5NDk2NzI5NX1YJzsKKyAgICBjb25zdCByZSA9IFJlZ0V4cChwYXR0 KTsKKyAgICByZXR1cm4gIkFBWCIubWF0Y2gocmUpOworfQorCitmdW5jdGlvbiB0ZXN0TWF4Qk1Q UmVnRXhwKCkgeworICAgIGxldCBwYXR0ID0gJ1x1ezEyMzR9ezQyOTQ5NjcyOTR9WCc7CisgICAg Y29uc3QgcmUgPSBSZWdFeHAocGF0dCwgJ3UnKTsKKyAgICByZXR1cm4gIlx1ezEyMzR9XHV7MTIz NH1YIi5tYXRjaChyZSk7Cit9CisKK2Z1bmN0aW9uIHRlc3RUb29CaWdCTVBSZWdFeHAoKSB7Cisg ICAgbGV0IHBhdHQgPSAnXHV7MTIzNH17NDI5NDk2NzI5NH1cdXs0NTY3fSc7CisgICAgY29uc3Qg cmUgPSBSZWdFeHAocGF0dCwgJ3UnKTsKKyAgICByZXR1cm4gIlx1ezEyMzR9XHV7MTIzNH1cdXs0 NTY3fSIubWF0Y2gocmUpOworfQorCitmdW5jdGlvbiB0ZXN0TWF4Tm9uQk1QUmVnRXhwKCkgewor ICAgIGxldCBwYXR0ID0gJ1x1ezEwMjM0fXsyMTQ3NDgzNjQ2fVx1ezEwMTAwfSc7CisgICAgY29u c3QgcmUgPSBSZWdFeHAocGF0dCwgJ3UnKTsKKyAgICByZXR1cm4gIlx1ezEwMjM0fVx1ezEwMjM0 fVx1ezEwMTAwfSIubWF0Y2gocmUpOworfQorCitmdW5jdGlvbiB0ZXN0VG9vQmlnTm9uQk1QUmVn RXhwKCkgeworICAgIGxldCBwYXR0ID0gJ1x1ezEwMjM0fXsyMTQ3NDgzNjQ2fVx1ezEwMTAwfSc7 CisgICAgY29uc3QgcmUgPSBSZWdFeHAocGF0dCwgJ3UnKTsKKyAgICByZXR1cm4gIlx1ezEwMjM0 fVx1ezEwMjM0fVx1ezEwMTAwfSIubWF0Y2gocmUpOworfQorCitsZXQgc2hvdWxkQ29tcGlsZSA9 IFt0ZXN0TWF4UmVnRXhwLCB0ZXN0TWF4UmVnRXhwLCB0ZXN0TWF4UmVnRXhwXTsKK2xldCBzaG91 bGRudENvbXBpbGUgPSBbdGVzdFRvb0JpZ1JlZ0V4cCwgdGVzdFRvb0JpZ1JlZ0V4cCwgdGVzdFRv b0JpZ1JlZ0V4cF07CisKK2Z1bmN0aW9uIHRlc3RBbGwoKQoreworICAgIGZvciAobGV0IGkgPSAw OyBpIDwgc2hvdWxkQ29tcGlsZS5sZW5ndGg7ICsraSkgeworICAgICAgICBpZiAoc2hvdWxkQ29t cGlsZVtpXSgpKQorICAgICAgICAgICAgdGhyb3cgIlRoaXMgUmVnRXhwOiAiICsgc2hvdWxkQ29t cGlsZVtpXSArICIgc2hvdWxkIGNvbXBpbGUgYW5kIGZhaWwgdG8gbWF0Y2giOworICAgIH0KKwor ICAgIGZvciAobGV0IGkgPSAwOyBpIDwgc2hvdWxkbnRDb21waWxlLmxlbmd0aDsgKytpKSB7Cisg ICAgICAgIGxldCBub3RTeW50YXhFcnJvciA9IGZhbHNlOworCisgICAgICAgIHRyeSB7CisgICAg ICAgICAgICBzaG91bGRudENvbXBpbGVbaV0oKTsKKyAgICAgICAgICAgIG5vdFN5bnRheEVycm9y ID0gdHJ1ZTsKKyAgICAgICAgfSBjYXRjaChlKSB7CisgICAgICAgICAgICBpZiAoIShlIGluc3Rh bmNlb2YgU3ludGF4RXJyb3IpKQorICAgICAgICAgICAgICAgIG5vdFN5bnRheEVycm9yID0gdHJ1 ZTsKKyAgICAgICAgfQorCisgICAgICAgIGlmIChub3RTeW50YXhFcnJvcikKKyAgICAgICAgICAg IHRocm93ICJUaGlzIFJlZ0V4cDogIiArIHNob3VsZG50Q29tcGlsZSArICIgc2hvdWxkIHRocm93 IGEgU3ludGF4IEVycm9yIHdoZW4gaXQgaXMgY29tcGlsZWQiOworICAgIH0KK30KKwordGVzdEFs bCgpOwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCShyZXZpc2lvbiAyNzM1NTgpCisrKyBT b3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEs MjMgQEAKKzIwMjEtMDItMjYgIE1pY2hhZWwgU2Fib2ZmICA8bXNhYm9mZkBhcHBsZS5jb20+CisK KyAgICAgICAgdW5leHBlY3RlZCBtaW5pbXVtSW5wdXRTaXplIGluIHNldHVwRGlzanVuY3Rpb25P ZmZzZXRzIGZvciByZWdleHAgZW5naW5lKHlhcnIpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMjAzNTcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBSZW1vdmVkIGFuIHVubmVjZXNzYXJ5IEFTU0VSVC4KKyAg ICAgICAgVGhpcyBhc3NlcnQgY2hlY2tlZCB0aGF0IHRoZSBtaW5pbXVtIHNpemUgd2Fzbid0IFVJ TlRfTUFYIHdoaWNoIEkgYmVsaWV2ZSB3YXMKKyAgICAgICAgaW50ZW5kZWQgdG8gbWFrZSBzdXJl IHRoZSBtaW5pbXVtIHNpemUgd2FzIGNoYW5nZWQgd2hpbGUgY29tcHV0aW5nIHRoZSAgCisgICAg ICAgIGRpc2p1bmN0aW9uJ3Mgc2l6ZSBhbmQgb2Zmc2V0cy4gIFRob3NlIGNhbGN1bGF0aW9ucyBp bnZvbHZlIGNoZWNrZWQgYXJpdGhtZXRpYywKKyAgICAgICAgd2hpY2ggd291bGQgY2F0Y2ggYW55 IG92ZXJmbG93LgorCisgICAgICAgIFRoZSBvdGhlciBwYXJ0IG9mIHRoaXMgcGF0Y2ggYWRkcyBh IHRlc3QgdGhhdCBjaGVja3MgdGhpcyBjb25kaXRpb24gYXMgd2VsbAorICAgICAgICBhcyB0aGUg Y2FzZSB3aGVyZSB0aGUgcGF0dGVybiBpcyBvbmUgY2hhcmFjdGVyIGxvbmdlciwgMl4zMiwgd2hp Y2ggdHJpZ2dlcnMKKyAgICAgICAgdGhlIGFyaXRobWV0aWMgb3ZlcmZsb3cuCisKKyAgICAgICAg KiB5YXJyL1lhcnJQYXR0ZXJuLmNwcDoKKyAgICAgICAgKEpTQzo6WWFycjo6WWFyclBhdHRlcm5D b25zdHJ1Y3Rvcjo6c2V0dXBEaXNqdW5jdGlvbk9mZnNldHMpOgorCiAyMDIxLTAyLTI1ICBZdXN1 a2UgU3V6dWtpICA8eXN1enVraUBhcHBsZS5jb20+CiAKICAgICAgICAgW0pTQ10gRml4IHR5cG8g aW4gd2FzbSBlcnJvciBtZXNzYWdlCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUveWFyci9Z YXJyUGF0dGVybi5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3lhcnIv WWFyclBhdHRlcm4uY3BwCShyZXZpc2lvbiAyNzM1NTgpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENv cmUveWFyci9ZYXJyUGF0dGVybi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTkzNCw3ICs5MzQsNiBA QCBwdWJsaWM6CiAgICAgICAgICAgICAgICAgbV9wYXR0ZXJuLm1fY29udGFpbnNVbnNpZ25lZExl bmd0aFBhdHRlcm4gPSB0cnVlOwogICAgICAgICB9CiAgICAgICAgIAotICAgICAgICBBU1NFUlQo bWluaW11bUlucHV0U2l6ZSAhPSBVSU5UX01BWCk7CiAgICAgICAgIEFTU0VSVChtYXhpbXVtQ2Fs bEZyYW1lU2l6ZSA+PSBpbml0aWFsQ2FsbEZyYW1lU2l6ZSk7CiAKICAgICAgICAgZGlzanVuY3Rp b24tPm1faGFzRml4ZWRTaXplID0gaGFzRml4ZWRTaXplOwo=