Bug 188694

Summary: heap buffer overflow caused by noinline
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ap, ddkilzer, keith_miller, mark.lam, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   

Description zhunkibatu 2018-08-17 02:42:16 PDT 
I understand that noinline is not supported by safari, but how can it cause buffer-overflow is unclear to me. in case you may be interested.

poc:

function foo(oo) {
    oo.x = 4;
    oo.y = 4;
    oo.e = oo;
    i=9;
    oo.e = 7;
    oo.f = 8;
}

function Foo() {
    foo(this);
}

noInline(foo);

for (var i = 0;i<100000;i++) {
    g();
}

function g(){
    foo({f:8});
    new Foo();
    new Foo();
    new Foo();
}


==9404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00535ffda at pc 0x7fe516031066 bp 0x7fe4ca8f6630 sp 0x7fe4ca8f6628
READ of size 1 at 0x62d00535ffda thread T7 (AutomaticThread)
    #0 0x7fe516031065 in std::__atomic_base<bool>::load(std::memory_order) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:396:9
    #1 0x7fe516031065 in std::atomic<bool>::load(std::memory_order) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/atomic:102
    #2 0x7fe516031065 in WTF::Atomic<bool>::load(std::memory_order) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/Atomics.h:61
    #3 0x7fe516031065 in JSC::LargeAllocation::isMarked() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LargeAllocation.h:78
    #4 0x7fe516031065 in JSC::SlotVisitor::appendHiddenUnbarriered(JSC::JSCell*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:88
    #5 0x7fe516031065 in JSC::SlotVisitor::appendHiddenUnbarriered(JSC::JSValue) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:75
    #6 0x7fe516031065 in void JSC::SlotVisitor::appendHidden<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> >(JSC::WriteBarrierBase<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> > const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:115
    #7 0x7fe516031065 in JSC::SlotVisitor::appendValuesHidden(JSC::WriteBarrierBase<JSC::Unknown, WTF::DumbValueTraits<JSC::Unknown> > const*, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:134
    #8 0x7fe516031065 in JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSObject.cpp:502
    #9 0x7fe51529549c in JSC::SlotVisitor::visitChildren(JSC::JSCell const*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:374:9
    #10 0x7fe51529549c in JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3::operator()(JSC::MarkStackArray&) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:483
    #11 0x7fe51528aaad in JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitorInlines.h:190:9
    #12 0x7fe51528aaad in JSC::SlotVisitor::drain(WTF::MonotonicTime) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:473
    #13 0x7fe51528c2dd in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode, WTF::MonotonicTime) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/SlotVisitor.cpp:671:13
    #14 0x7fe515225076 in JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1269:17
    #15 0x7fe515225076 in WTF::SharedTaskFunctor<void (), JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>::run() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/SharedTask.h:92
    #16 0x7fe5169589bf in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:112:5
    #17 0x7fe51695b583 in WTF::ParallelHelperPool::Thread::work() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:194:9
    #18 0x7fe5169233cc in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:223:37
    #19 0x7fe5169233cc in WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Function.h:101
    #20 0x7fe51696b4bb in WTF::Function<void ()>::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Function.h:56:16
    #21 0x7fe51696b4bb in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Threading.cpp:136
    #22 0x7fe516a09765 in WTF::wtfThreadEntryPoint(void*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ThreadingPthreads.cpp:227:5
    #23 0x7fe5108226b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #24 0x7fe51013a41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x62d00535ffda is located 38 bytes to the left of 16384-byte region [0x62d005360000,0x62d005364000)
allocated by thread T0 here:
    #0 0x4c5cc0 in posix_memalign (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/bin/jsc+0x4c5cc0)
    #1 0x7fe516a29ec9 in bmalloc::DebugHeap::memalign(unsigned long, unsigned long, bool) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/DebugHeap.cpp:93:9
    #2 0x7fe516a22bf4 in bmalloc::Allocator::allocateImpl(unsigned long, unsigned long, bool) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/Allocator.cpp:82:16
    #3 0x7fe516936f5e in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/Cache.h:87:12
    #4 0x7fe516936f5e in bmalloc::api::tryMemalign(unsigned long, unsigned long, bmalloc::HeapKind) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/bmalloc/bmalloc/bmalloc.h:57
    #5 0x7fe516936f5e in Gigacage::tryAlignedMalloc(Gigacage::Kind, unsigned long, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Gigacage.cpp:74
    #6 0x7fe51495cb9d in JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LocalAllocatorInlines.h:37:43
    #7 0x7fe51495cb9d in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/FreeListInlines.h:46
    #8 0x7fe51495cb9d in JSC::LocalAllocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/LocalAllocatorInlines.h:34
    #9 0x7fe51495cb9d in JSC::Allocator::allocate(JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/AllocatorInlines.h:35
    #10 0x7fe51495cb9d in JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/CompleteSubspaceInlines.h:33
    #11 0x7fe51495cb9d in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/ButterflyInlines.h:92
    #12 0x7fe4cd102253  (<unknown module>)
    #13 0x7fe5157d0fca  (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2460fca)
    #14 0x7fe5154ac342 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jit/JITCodeInlines.h:38:38
    #15 0x7fe5154ac342 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/interpreter/Interpreter.cpp:964
    #16 0x7fe515d88e7d in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/Completion.cpp:103:22
    #17 0x505bb4 in runWithOptions(GlobalObject*, CommandLine&, bool&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2376:35
    #18 0x505bb4 in jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2780
    #19 0x505bb4 in int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2681
    #20 0x505bb4 in jscmain(int, char**) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2777
    #21 0x5045b6 in main /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:2207:15

Thread T7 (AutomaticThread) created by T0 here:
    #0 0x4377f9 in __interceptor_pthread_create (/home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/bin/jsc+0x4377f9)
    #1 0x7fe516a09668 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ThreadingPthreads.cpp:239:17
    #2 0x7fe51696b9bf in WTF::Thread::create(char const*, WTF::Function<void ()>&&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/Threading.cpp:152:24
    #3 0x7fe51692129e in WTF::AutomaticThread::start(WTF::AbstractLocker const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:165:5
    #4 0x7fe516921814 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/AutomaticThread.cpp:76:13
    #5 0x7fe516957b5d in WTF::ParallelHelperClient::setTask(WTF::RefPtr<WTF::SharedTask<void ()>, WTF::DumbPtrTraits<WTF::SharedTask<void ()> > >) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/WTF/wtf/ParallelHelperPool.cpp:62:5
    #6 0x7fe51521245b in void WTF::ParallelHelperClient::setFunction<JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18>(JSC::Heap::runBeginPhase(JSC::GCConductor)::$_18 const&) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/DerivedSources/ForwardingHeaders/wtf/ParallelHelperPool.h:142:9
    #7 0x7fe51521245b in JSC::Heap::runBeginPhase(JSC::GCConductor) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1256
    #8 0x7fe515210bf7 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) /home/codesafe/webkit_fuzz/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/heap/Heap.cpp:1168:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:396:9 in std::__atomic_base<bool>::load(std::memory_order) const
Shadow bytes around the buggy address:
  0x0c5a80a63fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80a63fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80a63fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80a63fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80a63fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a80a63ff0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c5a80a64000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a80a64010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a80a64020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a80a64030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a80a64040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9404==ABORTING
Comment 1 Mark Lam 2018-08-20 17:12:12 PDT 
I'll take a look.
Comment 2 Radar WebKit Bug Importer 2018-08-20 17:12:36 PDT 
<rdar://problem/43535257>
Comment 3 Mark Lam 2018-10-03 16:28:21 PDT 
We ended up fixing this bug in https://bugs.webkit.org/show_bug.cgi?id=189757.

*** This bug has been marked as a duplicate of bug 189757 ***