276046 2024-06-30 02:46:31 -0700 readCharacter in JavaScriptCore YarrJIT reads wrong patternCharacter which is an OOB 2024-07-01 14:35:42 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build PC Linux RESOLVED DUPLICATE 275528 InRadar P2 Normal --- 1 entryhii msaboff bfulgham msaboff webkit-bug-importer oldest_to_newest 2043825 0 entryhii 2024-06-30 02:46:31 -0700 Hello, I found a bug in JavaScriptCore related to YarrJIT. ==============poc.js================== const v11 = /(?<a>.)\k<a>o/vi; const v22 = "\u{12345}bcde"; v22.split(v11); ====================================== Version: Latest JSC JavaScriptCore commit: 7f839364528de8cde2678aa52490c1ec36268d83 Run args: ./jsc poc.js JavaScriptCore crashed in JITTed code with SIGSEGV 11. After analysis, I found that this bug may be related to JavaScriptCore/yarr/YarrJIT.cpp `matchBackreference` function. In matchBackreference function, JSC invoke `readCharacter` to generate JIT code which reads patternCharater. When execute JITTed code, it should get "0xd808" which is UTF-16 Encoding of \u{12345}, but it incorrectly get 2 bytes before "0xd808", which is an OOB. Crash Stack: * thread #1, name = 'jsc', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) frame #0: 0x00007fffa6c74151 -> 0x7fffa6c74151: movzwl (%r11,%r9,2), %r9d 0x7fffa6c74156: cmpl %r9d, %eax 0x7fffa6c74159: jne 0x7fffa6c741eb 0x7fffa6c7415f: jmp 0x7fffa6c74177 (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) * frame #0: 0x00007fffa6c74151 frame #1: 0x00007ffff475aee0 libJavaScriptCore.so.1`JSC::Yarr::YarrCodeBlock::execute(this=0x00007fffe7040b00, input=span<const char16_t, 18446744073709551615UL> @ 0x00007fffffffb930, start=0, output=0x00007fffe7022340, matchingContext=0x00007fffffffba80) at YarrJIT.h:352:28 frame #2: 0x00007ffff58cc685 libJavaScriptCore.so.1`int JSC::RegExp::matchInline<WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(this=0x00007fffe70576c8, nullOrGlobalObject=0x00007fffa541a088, vm=0x00007fffa5000000, s=0x00007fffa5462298, startOffset=0, ovector=0x00007fffa541a8f8) at RegExpInlines.h:144:43 frame #3: 0x00007ffff58cc3b0 libJavaScriptCore.so.1`JSC::RegExp::match(this=0x00007fffe70576c8, globalObject=0x00007fffa541a088, s=0x00007fffa5462298, startOffset=0, ovector=0x00007fffa541a8f8) at RegExp.cpp:281:12 frame #4: 0x00007ffff58ebcc6 libJavaScriptCore.so.1`JSC::RegExpGlobalData::performMatch(this=0x00007fffa541a8a8, owner=0x00007fffa541a088, regExp=0x00007fffe70576c8, string=0x00007fffa5462290, input=0x00007fffa5462298, startOffset=0, ovector=0x00007fffffffbd78) at RegExpGlobalDataInlines.h:56:28 frame #5: 0x00007ffff58e838e libJavaScriptCore.so.1`void JSC::genericSplit<JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_2, JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_3>(globalObject=0x00007fffa541a088, regexp=0x00007fffe70576c8, inputString=0x00007fffa5462290, input=0x00007fffa5462298, inputSize=6, position=0x00007fffffffc0d0, matchPosition=0x00007fffffffc074, regExpIsSticky=false, regExpIsUnicode=true, control=0x00007fffffffc050, push=0x00007fffffffc018)::$_2 const&, JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_3 const&) at RegExpPrototype.cpp:432:63 frame #6: 0x00007ffff58e793b libJavaScriptCore.so.1`JSC::regExpProtoFuncSplitFast(globalObject=0x00007fffa541a088, callFrame=0x00007fffffffc1d0) at RegExpPrototype.cpp:573:5 frame #7: 0x00007fffa6c54038 frame #8: 0x00007ffff60f0389 libJavaScriptCore.so.1`llint_op_call + 213 frame #9: 0x00007ffff60cb805 libJavaScriptCore.so.1`llint_call_javascript + 6 frame #10: 0x00007ffff503050b libJavaScriptCore.so.1`JSC::Interpreter::executeProgram(this=0x00007fffa5015a10, source=0x00007fffffffce50, (null)=0x00007fffa541a088, thisObj=0x00007fffe701e008) at Interpreter.cpp:1143:28 frame #11: 0x00007ffff546c823 libJavaScriptCore.so.1`JSC::evaluate(globalObject=0x00007fffa541a088, source=0x00007fffffffce50, thisValue=JSValue @ 0x00007fffffffcd50, returnedException=0x00007fffffffce70) at Completion.cpp:137:37 frame #12: 0x00000000004b3226 jsc`runWithOptions(globalObject=0x00007fffa541a088, options=0x000000000051eca0, success=0x00007fffffffd2a3) at jsc.cpp:3774:35 frame #13: 0x00000000004553ec jsc`jscmain(this=0x00007fffffffd370, vm=0x00007fffa5000000, globalObject=0x00007fffa541a088, success=0x00007fffffffd2a3)::$_11::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4463:13 frame #14: 0x00000000004195dd jsc`int runJSC<jscmain(int, char**)::$_11>(options=0x000000000051eca0, isWorker=false, func=0x00007fffffffd370)::$_11 const&) at jsc.cpp:4245:13 frame #15: 0x0000000000416c7c jsc`jscmain(argc=2, argv=0x00007fffffffd4d8) at jsc.cpp:4456:18 frame #16: 0x00000000004169dc jsc`main(argc=2, argv=0x00007fffffffd4d8) at jsc.cpp:3532:15 frame #17: 0x00007ffff147b1e2 libc.so.6`__libc_start_main + 242 frame #18: 0x00000000004108be jsc`_start + 46 Credit: Jiming Wang 2043826 1 webkit-bug-importer 2024-06-30 02:46:39 -0700 <rdar://problem/130839510> 2044052 2 msaboff 2024-07-01 14:28:16 -0700 *** This bug has been marked as a duplicate of bug 275528 ***