199796 – Found a bug while fuzzing

Bug 199796 - Found a bug while fuzzing

Summary: Found a bug while fuzzing

Status:	RESOLVED DUPLICATE of bug 197634

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-07-15 04:29 PDT by zhoujielun
Modified:	2019-07-30 10:54 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhoujielun 2019-07-15 04:29:35 PDT

# env 

ubuntu 18.04
webkit cb9ca26

# bug
it crashed in the function WTF::SymbolImpl
    0x1ef6345 <WTF::SymbolImpl::create(WTF::StringImpl&)+5> push   r12
    0x1ef6347 <WTF::SymbolImpl::create(WTF::StringImpl&)+7> push   rbx
    0x1ef6348 <WTF::SymbolImpl::create(WTF::StringImpl&)+8> mov    r15, rsi
 →  0x1ef634b <WTF::SymbolImpl::create(WTF::StringImpl&)+11> mov    r14, rdi
    0x1ef634e <WTF::SymbolImpl::create(WTF::StringImpl&)+14> lea    rdi, [rip+0x9104a7]        # 0x28067fc
    0x1ef6355 <WTF::SymbolImpl::create(WTF::StringImpl&)+21> call   0x7b2890 <__sanitizer_cov_trace_pc_guard>
    0x1ef635a <WTF::SymbolImpl::create(WTF::StringImpl&)+26> mov    ebp, DWORD PTR [r15+0x10]
    0x1ef635e <WTF::SymbolImpl::create(WTF::StringImpl&)+30> mov    eax, ebp
    0x1ef6360 <WTF::SymbolImpl::create(WTF::StringImpl&)+32> and    eax, 0x3


the r15 here is NULL, this is passed from the PrivateName function. The rsi it passed into the chunk is a value from stack, and its NULL.
$r14   : 0x00007fffffffc400  →  0x0000000000000000
When we check the source code, we found that the javascript code triggered the javascript's internal method Symbol::create(), this function will new a symbol object, and will call Symbol function inside it.
Symbol* Symbol::create(ExecState* exec, JSString* description)
 {
     VM& vm = exec->vm();
     String desc = description->value(exec);
     Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
     symbol->finishCreation(vm);
     return symbol;
 }
In this Symbol function, it will call another create function
  45     enum DescriptionTag { Description };
  46     explicit PrivateName(DescriptionTag, const String& description)
  47         : m_uid(SymbolImpl::create(*description.impl()))
  48     {
  49     }
how ever the rsi is NULL...

# poc 

function main() {
function v3(v4,v5,v6,v7,v8) {
    'use strict'
    const v10 = Symbol(v6);
    function v12(v13,v14,v15,v16,v17) {
        'use strict'
        const v20 = [-268435456,-3654755103];
        const v21 = [-3654755103,v20];
        let v24 = v21;
        const v25 = v24.toLocaleString();
        const v26 = v25.padEnd(2147483647,Promise);
        const v27 = v3(Promise,"gBxRp/rynU",v26);
    }
    const v28 = new Promise(v12);
}
const v29 = new Promise(v3);
}
noDFG(main);
noFTL(main);
main();

Comment 1 Radar WebKit Bug Importer 2019-07-15 16:14:24 PDT

<rdar://problem/53127278>

Comment 2 Yusuke Suzuki 2019-07-30 10:54:02 PDT


*** This bug has been marked as a duplicate of bug 197634 ***