254582 2023-03-28 06:28:47 -0700 [JSC] CrashOnOverflow in CharacterClassConstructor::unicodeOpSorted() 2023-03-29 14:42:56 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 saelo msaboff bfulgham msaboff webkit-bug-importer oldest_to_newest 1944591 0 saelo 2023-03-28 06:28:47 -0700 The following code triggers a crash on JSC builds from current HEAD: const v0 = ` const v2 = /(?:(?=a)b){5}abcde/; [v0,"var \u1234 = 42;",[v0,"var \u1234 = 42;"]]; const t3 = v2.constructor; const v6 = new t3(v0, ..."var \u1234 = 42;"); `; eval(v0); // CRASH INFO // ========== // TERMSIG: 6 // EXECUTION TIME: 16ms Here is the backtrace from gdb: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79 #4 0x00007ffff52083f9 in WTF::CrashOnOverflow::crash () at WTF/Headers/wtf/CheckedArithmetic.h:109 #5 0x00007ffff52083e9 in WTF::CrashOnOverflow::overflowed () at WTF/Headers/wtf/CheckedArithmetic.h:102 #6 0x00007ffff53077e8 in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:781 #7 0x00007ffff73a973d in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[] (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:786 #8 0x00007ffff749c45a in JSC::Yarr::CharacterClassConstructor::unicodeOpSorted (this=0x7fffffffb308, rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:786 #9 0x00007ffff749bb25 in JSC::Yarr::CharacterClassConstructor::performSetOpWithMatches (this=0x7fffffffb308, rhsMatches=..., rhsRanges=..., rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:404 #10 0x00007ffff74a018e in JSC::Yarr::CharacterClassConstructor::performSetOpWith (this=0x7fffffffb308, rhs=0x7fffe705d3d0) at Source/JavaScriptCore/yarr/YarrPattern.cpp:368 #11 0x00007ffff749b00c in JSC::Yarr::YarrPatternConstructor::atomCharacterClassPopNested (this=0x7fffffffb2f8) at Source/JavaScriptCore/yarr/YarrPattern.cpp:1219 #12 0x00007ffff74adf74 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::ClassSetParserDelegate::nestedClassEnd (this=0x7fffffffaff8) at Source/JavaScriptCore/yarr/YarrParser.h:364 #13 0x00007ffff74ac11f in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseClassSet (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1229 #14 0x00007ffff74ab3b2 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseTokens (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1539 #15 0x00007ffff748ffa3 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parse (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1632 #16 0x00007ffff748716e in JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor> (delegate=..., pattern=..., compileMode=JSC::Yarr::CompileMode::UnicodeSets, backReferenceLimit=4294967295, isNamedForwardReferenceAllowed=true) at Source/JavaScriptCore/yarr/YarrParser.h:2083 #17 0x00007ffff73e9ded in JSC::Yarr::YarrPattern::compile (this=0x7fffffffb498, patternString=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2053 #18 0x00007ffff73ea1bd in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffb498, pattern=..., flags=..., error=@0x7fffe702103c: JSC::Yarr::ErrorCode::NoError) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2093 #19 0x00007ffff6da3e5e in JSC::RegExp::finishCreation (this=0x7fffe7021028, vm=...) at Source/JavaScriptCore/runtime/RegExp.cpp:159 #20 0x00007ffff6da4009 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:197 #21 0x00007ffff6da40ec in JSC::RegExpCache::lookupOrCreate (this=0x7fffe704c0c0, patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExpCache.cpp:42 #22 0x00007ffff6da4058 in JSC::RegExp::create (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:203 #23 0x00007ffff6db9383 in JSC::regExpCreate (globalObject=0x7fffa541a068, newTarget=..., patternArg=..., flagsArg=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:234 #24 0x00007ffff6db8fb3 in JSC::constructRegExp (globalObject=0x7fffa541a068, args=..., callee=0x7fffa54c8130, newTarget=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:294 #25 0x00007ffff6db6a34 in JSC::constructWithRegExpConstructor (globalObject=0x7fffa541a068, callFrame=0x7fffffffba60) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:313 #26 0x00007fffa6c000c7 in ?? () #27 0x00007fffffffbb60 in ?? () #28 0x00007ffff51e1d59 in js_trampoline_op_construct_varargs () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #29 0x0000000000000000 in ?? () It looks like a hard crash to me that is not exploitable in any way, but I'm still filing this as a security issue as a precaution. Please downgrade to a non-security bug if appropriate. Thanks! 1944592 1 webkit-bug-importer 2023-03-28 06:28:59 -0700 <rdar://problem/107314153> 1944769 2 msaboff 2023-03-28 15:35:49 -0700 Pull request: https://github.com/WebKit/WebKit/pull/12079 1945122 3 ews-feeder 2023-03-29 14:42:53 -0700 Committed 262290@main (d85eafff7c3d): <https://commits.webkit.org/262290@main> Reviewed commits have been landed. Closing PR #12079 and removing active labels.