Bug 222542

Summary:

Crash calling the "load" function on a too large file in the jsc command line tool

Product:

WebKit

Reporter:

Xiaoyu He <1422930734>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

NEW

Severity:

Critical

CC:

bfulgham, darin, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Linux

Attachments:

Description	Flags
poc	none

Xiaoyu He

Reported 2021-03-01 04:10:01 PST

Created attachment 421808 [details] poc 0x7ffff4681fab <raise+187> mov edi, 0x2 0x7ffff4681fb0 <raise+192> mov eax, 0xe 0x7ffff4681fb5 <raise+197> syscall → 0x7ffff4681fb7 <raise+199> mov rcx, QWORD PTR [rsp+0x108] 0x7ffff4681fbf <raise+207> xor rcx, QWORD PTR fs:0x28 0x7ffff4681fc8 <raise+216> mov eax, r8d 0x7ffff4681fcb <raise+219> jne 0x7ffff4681fec <__GI_raise+252> 0x7ffff4681fcd <raise+221> add rsp, 0x118 0x7ffff4681fd4 <raise+228> ret ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "jsc_afl_asan18", stopped, reason: SIGABRT ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x7ffff4681fb7 → __GI_raise(sig=0x6) [#1] 0x7ffff4683921 → __GI_abort() [#2] 0x59c516 → allocateBuffer<WTF::FailureAction::Crash>() [#3] 0x5ef736 → reserveCapacity<WTF::FailureAction::Crash>() [#4] 0x5ef3e3 → expandCapacity<WTF::FailureAction::Crash>() [#5] 0x5eec66 → resize() [#6] 0x5851ab → fillBufferWithContentsOfFile<WTF::Vector<char, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc> >() [#7] 0x5851ab → fillBufferWithContentsOfFile() [#8] 0x5851ab → fetchScriptFromLocalFileSystem() [#9] 0x54378d → functionLoad()

Attachments
poc (332 bytes, text/plain) 2021-03-01 04:10 PST, Xiaoyu He	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-03-01 04:10:14 PST

<rdar://problem/74863969>

Darin Adler

Comment 2 2021-03-01 09:54:52 PST

This intentional crash is a policy of the "jsc" command line tool, not of JavaScriptCore itself. Could easily be changed, but is not a JavaScriptCore security bug.

Darin Adler

Comment 3 2021-03-01 09:55:32 PST

Trivial to fix by adding a tryReserveCapacity call to the fillBufferWithContentsOfFile function.

Xiaoyu He

Comment 4 2021-03-01 16:47:11 PST

Can you give me a CVE number?

Darin Adler

Comment 5 2021-03-01 18:26:14 PST

I don’t think this is a security bug since it’s specific to the "jsc" command line tool. It interferes with fuzzing, but has no effect on security of web browsers using JavaScriptCore, for example.

Yusuke Suzuki

Comment 6 2021-03-16 23:06:48 PDT

Yes. This is not a security issue since it always crashes and it only exists in JSC shell (this is not included in WebContent process).

Note You need to log in before you can comment on or make changes to this bug.