SEGV in njs_value_to_primitive #534

Asuk4 · 2022-06-03T11:01:38Z

Environment

OS      : Linux ubuntu 5.13.0-44-generic #49~20.04.1-Ubuntu SMP Wed May 18 18:44:28 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : d09868bc71f9a990445959329ad8c1b10d3898f5
Version : 0.7.4
Build   :
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

Proof of concept

var v = 1;
async function f() {
    await 1;

    var a = [];
    function g() {
        return v;
    }

    a.toString = g;

    Function(a);

    function s() {
        g + 1;
    }
}

f();

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3153076==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e2b44 bp 0x7ffd8a5ee0c0 sp 0x7ffd8a5ed820 T0)
==3153076==The signal is caused by a READ memory access.
==3153076==Hint: address points to the zero page.
    #0 0x4e2b44 in njs_scope_valid_value /path/to/njs/src/njs_scope.h:86:10
    #1 0x4e2b44 in njs_vmcode_interpreter /path/to/njs/src/njs_vmcode.c:733:17
    #2 0x53a49c in njs_function_lambda_call /path/to/njs/src/njs_function.c:693:11
    #3 0x5396bc in njs_function_frame_invoke /path/to/njs/src/njs_function.c:769:16
    #4 0x5396bc in njs_function_call2 /path/to/njs/src/njs_function.c:592:11
    #5 0x4d4c06 in njs_function_apply /path/to/njs/src/njs_function.h:186:12
    #6 0x4d4c06 in njs_value_to_primitive /path/to/njs/src/njs_value.c:166:23
    #7 0x53c960 in njs_value_to_chain /path/to/njs/src/njs_value_conversion.h:217:19
    #8 0x53c960 in njs_function_constructor /path/to/njs/src/njs_function.c:1151:11
    #9 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #10 0x4e44a4 in njs_vmcode_interpreter /path/to/njs/src/njs_vmcode.c:799:23
    #11 0x603263 in njs_await_fulfilled /path/to/njs/src/njs_async.c:91:11
    #12 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #13 0x539699 in njs_function_frame_invoke /path/to/njs/src/njs_function.c:766:16
    #14 0x539699 in njs_function_call2 /path/to/njs/src/njs_function.c:592:11
    #15 0x5f2727 in njs_function_call /path/to/njs/src/njs_function.h:178:12
    #16 0x5f2727 in njs_promise_reaction_job /path/to/njs/src/njs_promise.c:1171:15
    #17 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #18 0x4dde50 in njs_vm_invoke /path/to/njs/src/njs_vm.c:428:12
    #19 0x4dde50 in njs_vm_call /path/to/njs/src/njs_vm.c:412:12
    #20 0x4dde50 in njs_vm_handle_events /path/to/njs/src/njs_vm.c:572:19
    #21 0x4dde50 in njs_vm_run /path/to/njs/src/njs_vm.c:532:12
    #22 0x4c7fd7 in njs_process_script /path/to/njs/src/njs_shell.c:924:15
    #23 0x4c71eb in njs_process_file /path/to/njs/src/njs_shell.c:619:11
    #24 0x4c71eb in main /path/to/njs/src/njs_shell.c:303:15
    #25 0x7fb975f84082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #26 0x41da7d in _start (/path/to/njs/build/njs+0x41da7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/njs/src/njs_scope.h:86:10 in njs_scope_valid_value
==3153076==ABORTING

The text was updated successfully, but these errors were encountered:

xeioex · 2023-04-08T06:03:17Z

Duplicate of #530.

xeioex added bug fuzzer labels Jun 5, 2022

xeioex added the duplicate label Apr 8, 2023

xeioex closed this as completed Apr 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SEGV in njs_value_to_primitive #534

SEGV in njs_value_to_primitive #534

Asuk4 commented Jun 3, 2022 •

edited by xeioex

Loading

xeioex commented Apr 8, 2023

SEGV in njs_value_to_primitive #534

SEGV in njs_value_to_primitive #534

Comments

Asuk4 commented Jun 3, 2022 • edited by xeioex Loading

Environment

Proof of concept

Stack dump

xeioex commented Apr 8, 2023

Asuk4 commented Jun 3, 2022 •

edited by xeioex

Loading