Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV at njs/src/njs_scope.h:94:10 in njs_scope_valid_value #773

Open
gandalf4a opened this issue Aug 15, 2024 · 0 comments
Open

SEGV at njs/src/njs_scope.h:94:10 in njs_scope_valid_value #773

gandalf4a opened this issue Aug 15, 2024 · 0 comments
Labels
bug

Comments

@gandalf4a
Copy link

version:

$ git show
commit 3ac496802862347c5cf8f0b6e3825163dc7bb1c9 (HEAD -> master, origin/master, origin/HEAD)
Author: Dmitry Volyntsev <[[email protected]](mailto:[email protected])>
Date:   Thu Jul 25 17:28:37 2024 -0700

    Tests: adapting unsafe redirect test for QuickJS.
    
    At the moment QuickJS has no API for getting strings
    with NUL characters in the middle of the string.
    
    Instead of a NUL byte make another unsafe redirect URI.

system:

$ uname -a
Linux gandalf-ThinkPad-T14-Gen-3 6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Reproduce

njs/build/njs_fuzzilli poc_file.js

poc_file.js

const v0 = [Infinity,0.7856315572115781,-Infinity,-1000000000000.0,-1000000000.0];
async function f1(a2, a3) {
    let v4 = await a2;
    function f5(a6, a7) {
        return v4 >>>= v0;
    }
    f5();
    function f9() {
        f5 /= f5;
        return v0;
    }
    return v0;
}
f1(f1, f1);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=njs --storagePath=Targets/njs/out /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli --resume
// TARGET ARGS: /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli fuzz
// CONTRIBUTORS: NumberComputationGenerator, ArrayGenerator, ElementAssignmentGenerator, FunctionCallGenerator, TrivialFunctionGenerator, SpliceMutator, TypedArrayGenerator, OperationMutator, WellKnownPropertyStoreGenerator, CodeGenMutator, UpdateGenerator
// EXECUTION TIME: 11ms

asan report

/home/gandalf/fuzzilli/Targets/njs/out/crashes/program_20240814004355_CAD133B9-FC51-48A1-B2BC-60C73BAE045D_deterministic.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3726447==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5a3b22eb02cb bp 0x0007fffffff8 sp 0x7ffe6c94cf10 T3726447)
==3726447==The signal is caused by a READ memory access.
==3726447==Hint: address points to the zero page.
    #0 0x5a3b22eb02cb in njs_scope_valid_value /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10
    #1 0x5a3b22eb02cb in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:868:9
    #2 0x5a3b22f15138 in njs_function_lambda_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:610:11
    #3 0x5a3b22f14bb3 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:686:16
    #4 0x5a3b22eb5daa in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1451:15
    #5 0x5a3b22f30b54 in njs_await_fulfilled /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_async.c:91:11
    #6 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #7 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #8 0x5a3b22f14ac7 in njs_function_call2 /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:515:12
    #9 0x5a3b22f2be90 in njs_function_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.h:164:12
    #10 0x5a3b22f2be90 in njs_promise_reaction_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_promise.c:1098:15
    #11 0x5a3b22f14b40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #12 0x5a3b22f14b40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #13 0x5a3b22ea674d in njs_vm_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:599:12
    #14 0x5a3b22ea674d in njs_vm_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:583:12
    #15 0x5a3b22ea674d in njs_vm_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:690:11
    #16 0x5a3b22e9c8a7 in njs_engine_njs_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:1399:12
    #17 0x5a3b22e9bb4d in njs_process_script /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3541:19
    #18 0x5a3b22e9b8a4 in njs_process_file /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3501:11
    #19 0x5a3b22e9aecf in main /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli.c:149:18
    #20 0x7032a8629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #21 0x7032a8629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #22 0x5a3b22e71324 in _start (/home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli+0x18324) (BuildId: 3d2f757dce7d42751a15759500ec6c91c5f77630)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_scope.h:94:10 in njs_scope_valid_value
==3726447==ABORTING

Credit

Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
@gandalf4a gandalf4a added the bug label Aug 15, 2024
@nginx nginx deleted a comment from Sayedbila Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gandalf4a