WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
285393
[JSC] heap-buffer-overflow on WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17
https://bugs.webkit.org/show_bug.cgi?id=285393
Summary
[JSC] heap-buffer-overflow on WebKit/Source/JavaScriptCore/runtime/WriteBarri...
rhezashan
Reported
2025-01-04 19:46:40 PST
Created
attachment 473776
[details]
poc.js 1. Tested on Webkit branch main 2. Target release - crashes 3. Target debug - crashes 4. Run with `./bin/jsc ./poc.js` # commit @main ``` commit b3809e07dc65e5678706c3ee334ca12930ebf129 (HEAD -> main, origin/main, origin/HEAD) Author: Rob Buis <
rbuis@igalia.com
> Date: Sat Jan 4 12:19:18 2025 -0800 ``` # Error stack release target ``` ================================================================= ==437170==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52d000023ff8 at pc 0x601974d9c81b bp 0x7fff5fcecb30 sp 0x7fff5fcecb28 WRITE of size 16 at 0x52d000023ff8 thread T0 #0 0x601974d9c81a in JSC::WriteBarrierBase<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>::setWithoutWriteBarrier(JSC::JSValue) /home/rheza/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17 #1 0x601974d9c81a in JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>>::Data::setWithoutWriteBarrier(JSC::JSValue const&) /home/rheza/WebKit/Source/JavaScriptCore/runtime/Butterfly.h:87:20 #2 0x601974d9c81a in JSC::JSArray::fastFill(JSC::VM&, unsigned int, unsigned int, JSC::JSValue) /home/rheza/WebKit/Source/JavaScriptCore/runtime/JSArray.cpp:520:43 #3 0x601974a2c8a7 in JSC::arrayProtoFuncFill(JSC::JSGlobalObject*, JSC::CallFrame*) /home/rheza/WebKit/Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1946:20 #4 0x7e9f7ca10037 (<unknown module>) 0x52d000024000 is located 0 bytes after 16384-byte region [0x52d000020000,0x52d000024000) allocated by thread T0 here: #0 0x601972083606 in aligned_alloc (/home/rheza/WebKit/webkit-clang-main-release/bin/jsc+0xcf9606) (BuildId: 38bf8325b8192e73) #1 0x60197639e884 in pas_debug_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/pas_debug_heap.h:102:22 #2 0x60197639bdd5 in bmalloc_try_allocate_with_alignment_impl(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:59:1 #3 0x60197639bdd5 in bmalloc_try_allocate_with_alignment_inline(unsigned long, unsigned long, pas_allocation_mode) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:104:19 #4 0x60197639bdd5 in bmalloc::api::tryMemalign(unsigned long, unsigned long, bmalloc::CompactAllocationMode, bmalloc::HeapKind) /home/rheza/WebKit/webkit-clang-main-release/bmalloc/Headers/bmalloc/bmalloc.h:124:16 #5 0x60197639bdd5 in WTF::tryFastCompactAlignedMalloc(unsigned long, unsigned long) /home/rheza/WebKit/Source/WTF/wtf/FastMalloc.cpp:780:20 #6 0x601973f4442e in JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /home/rheza/WebKit/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:41:43 #7 0x601973f4442e in JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&, unsigned long) /home/rheza/WebKit/Source/JavaScriptCore/heap/FreeListInlines.h:46:16 #8 0x601973f4442e in JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/rheza/WebKit/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:38:23 #9 0x601973f4442e in JSC::Allocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /home/rheza/WebKit/Source/JavaScriptCore/heap/AllocatorInlines.h:35:30 #10 0x601973f4442e in JSC::CompleteSubspace::tryAllocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*) /home/rheza/WebKit/Source/JavaScriptCore/heap/CompleteSubspace.cpp:122:26 #11 0x601973f43d78 in JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /home/rheza/WebKit/Source/JavaScriptCore/heap/CompleteSubspace.cpp:108:20 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rheza/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17 in JSC::WriteBarrierBase<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>>::setWithoutWriteBarrier(JSC::JSValue) Shadow bytes around the buggy address: 0x52d000023d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x52d000023f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x52d000023f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00] 0x52d000024000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x52d000024200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==437170==ABORTING ``` # Error stack on debug target ``` ASSERTION FAILED: index < m_length /home/rheza/WebKit/Source/JavaScriptCore/runtime/ButterflyInlines.h(48) : typename ContiguousData<T>::Data JSC::ContiguousData<JSC::WriteBarrier<Unknown, RawValueTraits<Unknown>>>::at(const JSCell *, size_t) [T = JSC::WriteBarrier<Unknown, RawValueTraits<Unknown>>] 1 0x56ea78a0ff04 WTFReportBacktrace 2 0x56ea73fdb9b3 JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown> > >::at(JSC::JSCell const*, unsigned long) 3 0x56ea7739a257 JSC::JSArray::fastFill(JSC::VM&, unsigned int, unsigned int, JSC::JSValue) 4 0x56ea76f813a1 JSC::arrayProtoFuncFill(JSC::JSGlobalObject*, JSC::CallFrame*) 5 0x7428dba10038 ??? Aborted (core dumped) ```
Attachments
poc.js
(217 bytes, text/javascript)
2025-01-04 19:46 PST
,
rhezashan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2025-01-04 19:46:50 PST
<
rdar://problem/142369820
>
Yusuke Suzuki
Comment 2
2025-01-07 19:10:52 PST
ToT crash.
Yusuke Suzuki
Comment 3
2025-01-07 19:12:41 PST
Pull request:
https://github.com/WebKit/WebKit/pull/38698
EWS
Comment 4
2025-01-07 20:06:44 PST
Committed
288578@main
(c702978087bc): <
https://commits.webkit.org/288578@main
> Reviewed commits have been landed. Closing PR #38698 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug