Bug 212460

Summary: fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) in jsc.cpp
Product: WebKit Reporter: v.owl337
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: ap
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
poc.js none

v.owl337
Reported 2020-05-28 05:01:15 PDT
Created attachment 400443 [details] poc.js Description of problem: The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948 How reproducible: ./jsc poc.js (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff2465801 in __GI_abort () at abort.c:79 #2 0x00005555555d5f61 in WTF::VectorBufferBase<char, WTF::FastMalloc>::allocateBuffer (newCapacity=<optimized out>, this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:289 #3 WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity (newCapacity=<optimized out>, this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1190 #4 WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity (this=0x7fffffb1dc70, newMinCapacity=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1048 #5 0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::resize (size=9223372036854775807, this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1099 #6 fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) at ../../Source/JavaScriptCore/jsc.cpp:948 #7 fillBufferWithContentsOfFile (fileName=..., buffer=...) at ../../Source/JavaScriptCore/jsc.cpp:961 #8 0x00005555555fc785 in fetchScriptFromLocalFileSystem (buffer=..., fileName=...) at ../../Source/JavaScriptCore/jsc.cpp:969 #9 functionRun (globalObject=0x7fffaedfab68, callFrame=0x7fffffb1dd00) at ../../Source/JavaScriptCore/jsc.cpp:1473 The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948 937 static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer) 938 { 939 // We might have injected "use strict"; at the top. 940 size_t initialSize = buffer.size(); 941 if (fseek(file, 0, SEEK_END) == -1) 942 return false; 943 long bufferCapacity = ftell(file); 944 if (bufferCapacity == -1) 945 return false; 946 if (fseek(file, 0, SEEK_SET) == -1) 947 return false; 948 buffer.resize(bufferCapacity + initialSize); 949 size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file); 950 return readSize == buffer.size() - initialSize; 951 } Additional info: This vulnerability is detected by chong from OWL337
Attachments
poc.js (179 bytes, text/javascript)
2020-05-28 05:01 PDT, v.owl337 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2020-06-01 18:06:51 PDT
> #5 0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, > WTF::FastMalloc>::resize (size=9223372036854775807, > this=0x7fffffb1dc70) at > DerivedSources/ForwardingHeaders/wtf/Vector.h:1099 This is 0x7FFFFFFFFFFFFFFF. A quick web search suggests that ftell returns this value on Linux for directories. Perhaps there are other cases when this happens. The problem is not with this function, but somewhere else. Resolving for now since this is unreproducible and not actionable. Please feel free to re-open if you find out what went wrong and made ftell fail.
Note You need to log in before you can comment on or make changes to this bug.