NEW222542
Crash calling the "load" function on a too large file in the jsc command line tool 
https://bugs.webkit.org/show_bug.cgi?id=222542
Summary Crash calling the "load" function on a too large file in the jsc command line...
Xiaoyu He
Reported 2021-03-01 04:10:01 PST
Created attachment 421808 [details] poc 0x7ffff4681fab <raise+187> mov edi, 0x2 0x7ffff4681fb0 <raise+192> mov eax, 0xe 0x7ffff4681fb5 <raise+197> syscall → 0x7ffff4681fb7 <raise+199> mov rcx, QWORD PTR [rsp+0x108] 0x7ffff4681fbf <raise+207> xor rcx, QWORD PTR fs:0x28 0x7ffff4681fc8 <raise+216> mov eax, r8d 0x7ffff4681fcb <raise+219> jne 0x7ffff4681fec <__GI_raise+252> 0x7ffff4681fcd <raise+221> add rsp, 0x118 0x7ffff4681fd4 <raise+228> ret ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "jsc_afl_asan18", stopped, reason: SIGABRT ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x7ffff4681fb7 → __GI_raise(sig=0x6) [#1] 0x7ffff4683921 → __GI_abort() [#2] 0x59c516 → allocateBuffer<WTF::FailureAction::Crash>() [#3] 0x5ef736 → reserveCapacity<WTF::FailureAction::Crash>() [#4] 0x5ef3e3 → expandCapacity<WTF::FailureAction::Crash>() [#5] 0x5eec66 → resize() [#6] 0x5851ab → fillBufferWithContentsOfFile<WTF::Vector<char, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc> >() [#7] 0x5851ab → fillBufferWithContentsOfFile() [#8] 0x5851ab → fetchScriptFromLocalFileSystem() [#9] 0x54378d → functionLoad()
Attachments
poc (332 bytes, text/plain)
2021-03-01 04:10 PST, Xiaoyu He 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-03-01 04:10:14 PST
<rdar://problem/74863969>
Darin Adler
Comment 2 2021-03-01 09:54:52 PST
This intentional crash is a policy of the "jsc" command line tool, not of JavaScriptCore itself. Could easily be changed, but is not a JavaScriptCore security bug.
Darin Adler
Comment 3 2021-03-01 09:55:32 PST
Trivial to fix by adding a tryReserveCapacity call to the fillBufferWithContentsOfFile function.
Xiaoyu He
Comment 4 2021-03-01 16:47:11 PST
Can you give me a CVE number?
Darin Adler
Comment 5 2021-03-01 18:26:14 PST
I don’t think this is a security bug since it’s specific to the "jsc" command line tool. It interferes with fuzzing, but has no effect on security of web browsers using JavaScriptCore, for example.
Yusuke Suzuki
Comment 6 2021-03-16 23:06:48 PDT
Yes. This is not a security issue since it always crashes and it only exists in JSC shell (this is not included in WebContent process).
Note You need to log in before you can comment on or make changes to this bug.