Bug 254582
| Summary: | [JSC] CrashOnOverflow in CharacterClassConstructor::unicodeOpSorted() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Samuel Groß <saelo> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, msaboff, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Samuel Groß
The following code triggers a crash on JSC builds from current HEAD:
const v0 = `
const v2 = /(?:(?=a)b){5}abcde/;
[v0,"var \u1234 = 42;",[v0,"var \u1234 = 42;"]];
const t3 = v2.constructor;
const v6 = new t3(v0, ..."var \u1234 = 42;");
`;
eval(v0);
// CRASH INFO
// ==========
// TERMSIG: 6
// EXECUTION TIME: 16ms
Here is the backtrace from gdb:
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1 0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2 0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79
#4 0x00007ffff52083f9 in WTF::CrashOnOverflow::crash () at WTF/Headers/wtf/CheckedArithmetic.h:109
#5 0x00007ffff52083e9 in WTF::CrashOnOverflow::overflowed () at WTF/Headers/wtf/CheckedArithmetic.h:102
#6 0x00007ffff53077e8 in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:781
#7 0x00007ffff73a973d in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[] (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:786
#8 0x00007ffff749c45a in JSC::Yarr::CharacterClassConstructor::unicodeOpSorted (this=0x7fffffffb308, rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:786
#9 0x00007ffff749bb25 in JSC::Yarr::CharacterClassConstructor::performSetOpWithMatches (this=0x7fffffffb308, rhsMatches=..., rhsRanges=..., rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:404
#10 0x00007ffff74a018e in JSC::Yarr::CharacterClassConstructor::performSetOpWith (this=0x7fffffffb308, rhs=0x7fffe705d3d0) at Source/JavaScriptCore/yarr/YarrPattern.cpp:368
#11 0x00007ffff749b00c in JSC::Yarr::YarrPatternConstructor::atomCharacterClassPopNested (this=0x7fffffffb2f8) at Source/JavaScriptCore/yarr/YarrPattern.cpp:1219
#12 0x00007ffff74adf74 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::ClassSetParserDelegate::nestedClassEnd (this=0x7fffffffaff8) at Source/JavaScriptCore/yarr/YarrParser.h:364
#13 0x00007ffff74ac11f in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseClassSet (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1229
#14 0x00007ffff74ab3b2 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseTokens (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1539
#15 0x00007ffff748ffa3 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parse (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1632
#16 0x00007ffff748716e in JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor> (delegate=..., pattern=..., compileMode=JSC::Yarr::CompileMode::UnicodeSets, backReferenceLimit=4294967295, isNamedForwardReferenceAllowed=true) at Source/JavaScriptCore/yarr/YarrParser.h:2083
#17 0x00007ffff73e9ded in JSC::Yarr::YarrPattern::compile (this=0x7fffffffb498, patternString=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2053
#18 0x00007ffff73ea1bd in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffb498, pattern=..., flags=..., error=@0x7fffe702103c: JSC::Yarr::ErrorCode::NoError) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2093
#19 0x00007ffff6da3e5e in JSC::RegExp::finishCreation (this=0x7fffe7021028, vm=...) at Source/JavaScriptCore/runtime/RegExp.cpp:159
#20 0x00007ffff6da4009 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:197
#21 0x00007ffff6da40ec in JSC::RegExpCache::lookupOrCreate (this=0x7fffe704c0c0, patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExpCache.cpp:42
#22 0x00007ffff6da4058 in JSC::RegExp::create (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:203
#23 0x00007ffff6db9383 in JSC::regExpCreate (globalObject=0x7fffa541a068, newTarget=..., patternArg=..., flagsArg=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:234
#24 0x00007ffff6db8fb3 in JSC::constructRegExp (globalObject=0x7fffa541a068, args=..., callee=0x7fffa54c8130, newTarget=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:294
#25 0x00007ffff6db6a34 in JSC::constructWithRegExpConstructor (globalObject=0x7fffa541a068, callFrame=0x7fffffffba60) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:313
#26 0x00007fffa6c000c7 in ?? ()
#27 0x00007fffffffbb60 in ?? ()
#28 0x00007ffff51e1d59 in js_trampoline_op_construct_varargs () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1
#29 0x0000000000000000 in ?? ()
It looks like a hard crash to me that is not exploitable in any way, but I'm still filing this as a security issue as a precaution. Please downgrade to a non-security bug if appropriate. Thanks!
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/107314153>
Michael Saboff
Pull request: https://github.com/WebKit/WebKit/pull/12079
EWS
Committed 262290@main (d85eafff7c3d): <https://commits.webkit.org/262290@main>
Reviewed commits have been landed. Closing PR #12079 and removing active labels.