Bug 188694

Summary:	heap buffer overflow caused by noinline
Product:	WebKit	Reporter:	zhunkibatu
Component:	JavaScriptCore	Assignee:	Mark Lam <mark.lam>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	ap, ddkilzer, keith_miller, mark.lam, saam, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	PC
OS:	Linux

zhunkibatu

Reported 2018-08-17 02:42:16 PDT

I understand that noinline is not supported by safari, but how can it cause buffer-overflow is unclear to me. in case you may be interested. poc: function foo(oo) { oo.x = 4; oo.y = 4; oo.e = oo; i=9; oo.e = 7; oo.f = 8; } function Foo() { foo(this); } noInline(foo); for (var i = 0;i<100000;i++) { g(); } function g(){ foo({f:8}); new Foo(); new Foo(); new Foo(); } ==9404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00535ffda at pc 0x7fe516031066 bp 0x7fe4ca8f6630 sp 0x7fe4ca8f6628 READ of size 1 at 0x62d00535ffda thread T7 (AutomaticThread) #0 0x7fe516031065 in std::__atomic_base<bool>::load(std::memory_order) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:396:9 #1 0x7fe516031065 in std::atomic<bool>::load(std::memory_order) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/atomic:102 #2 0x7fe516031065 in WTF::Atomic<bool>::load(std::memory_order) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/Atomics.h:61 #3 0x7fe516031065 in JSC::LargeAllocation::isMarked() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LargeAllocation.h:78 #4 0x7fe516031065 in JSC::SlotVisitor::appendHiddenUnbarriered(JSC::JSCell*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:88 #5 0x7fe516031065 in JSC::SlotVisitor::appendHiddenUnbarriered(JSC::JSValue) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:75 #6 0x7fe516031065 in void JSC::SlotVisitor::appendHidden<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> >(JSC::WriteBarrierBase<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> > const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:115 #7 0x7fe516031065 in JSC::SlotVisitor::appendValuesHidden(JSC::WriteBarrierBase<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> > const*, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:134 #8 0x7fe516031065 in JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSObject.cpp:502 #9 0x7fe51529549c in JSC::SlotVisitor::visitChildren(JSC::JSCell const*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:374:9 #10 0x7fe51529549c in JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:483 #11 0x7fe51528aaad in JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:190:9 #12 0x7fe51528aaad in JSC::SlotVisitor::drain(WTF::MonotonicTime) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:473 #13 0x7fe51528c2dd in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:671:13 #14 0x7fe515225076 in JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1269:17 #15 0x7fe515225076 in WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>::run() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/SharedTask.h:92 #16 0x7fe5169589bf in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:112:5 #17 0x7fe51695b583 in WTF::ParallelHelperPool::Thread::work() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:194:9 #18 0x7fe5169233cc in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:223:37 #19 0x7fe5169233cc in WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Function.h:101 #20 0x7fe51696b4bb in WTF::Function<void ()>::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Function.h:56:16 #21 0x7fe51696b4bb in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Threading.cpp:136 #22 0x7fe516a09765 in WTF::wtfThreadEntryPoint(void*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ThreadingPthreads.cpp:227:5 #23 0x7fe5108226b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #24 0x7fe51013a41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x62d00535ffda is located 38 bytes to the left of 16384-byte region [0x62d005360000,0x62d005364000) allocated by thread T0 here: #0 0x4c5cc0 in posix_memalign (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/bin/jsc+0x4c5cc0) #1 0x7fe516a29ec9 in bmalloc::DebugHeap::memalign(unsigned long, unsigned long, bool) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/DebugHeap.cpp:93:9 #2 0x7fe516a22bf4 in bmalloc::Allocator::allocateImpl(unsigned long, unsigned long, bool) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/Allocator.cpp:82:16 #3 0x7fe516936f5e in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/Cache.h:87:12 #4 0x7fe516936f5e in bmalloc::api::tryMemalign(unsigned long, unsigned long, bmalloc::HeapKind) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/bmalloc.h:57 #5 0x7fe516936f5e in Gigacage::tryAlignedMalloc(Gigacage::Kind, unsigned long, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Gigacage.cpp:74 #6 0x7fe51495cb9d in JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LocalAllocatorInlines.h:37:43 #7 0x7fe51495cb9d in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/FreeListInlines.h:46 #8 0x7fe51495cb9d in JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LocalAllocatorInlines.h:34 #9 0x7fe51495cb9d in JSC::Allocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/AllocatorInlines.h:35 #10 0x7fe51495cb9d in JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/CompleteSubspaceInlines.h:33 #11 0x7fe51495cb9d in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/ButterflyInlines.h:92 #12 0x7fe4cd102253 (<unknown module>) #13 0x7fe5157d0fca (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2460fca) #14 0x7fe5154ac342 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jit/JITCodeInlines.h:38:38 #15 0x7fe5154ac342 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/interpreter/Interpreter.cpp:964 #16 0x7fe515d88e7d in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/Completion.cpp:103:22 #17 0x505bb4 in runWithOptions(GlobalObject*, CommandLine&, bool&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2376:35 #18 0x505bb4 in jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2780 #19 0x505bb4 in int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2681 #20 0x505bb4 in jscmain(int, char**) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2777 #21 0x5045b6 in main /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2207:15 Thread T7 (AutomaticThread) created by T0 here: #0 0x4377f9 in __interceptor_pthread_create (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/bin/jsc+0x4377f9) #1 0x7fe516a09668 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ThreadingPthreads.cpp:239:17 #2 0x7fe51696b9bf in WTF::Thread::create(char const*, WTF::Function<void ()>&&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Threading.cpp:152:24 #3 0x7fe51692129e in WTF::AutomaticThread::start(WTF::AbstractLocker const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:165:5 #4 0x7fe516921814 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:76:13 #5 0x7fe516957b5d in WTF::ParallelHelperClient::setTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:62:5 #6 0x7fe51521245b in void WTF::ParallelHelperClient::setFunction<JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>(JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/ParallelHelperPool.h:142:9 #7 0x7fe51521245b in JSC::Heap::runBeginPhase(JSC::GCConductor) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1256 #8 0x7fe515210bf7 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1168:18 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:396:9 in std::__atomic_base<bool>::load(std::memory_order) const Shadow bytes around the buggy address: 0x0c5a80a63fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a80a63fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a80a63fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a80a63fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a80a63fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c5a80a63ff0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x0c5a80a64000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a80a64010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a80a64020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a80a64030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a80a64040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9404==ABORTING

Attachments
Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2018-08-20 17:12:12 PDT

I'll take a look.

Radar WebKit Bug Importer

Comment 2 2018-08-20 17:12:36 PDT

<rdar://problem/43535257>

Mark Lam

Comment 3 2018-10-03 16:28:21 PDT

We ended up fixing this bug in https://bugs.webkit.org/show_bug.cgi?id=189757. *** This bug has been marked as a duplicate of bug 189757 ***

Note You need to log in before you can comment on or make changes to this bug.