Bug 251435 - [JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::parseTokens; JSC::Yarr::parse
Summary: [JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::par...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-01-31 07:06 PST by Michael Saboff
Modified: 2023-01-31 18:53 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2023-01-31 07:06:09 PST 
The following RegExp crashes on an ASAN build:

/(?<=a*\1aaaaaaaaaaaaaa>)/

Here is the top 10 frames of the crash:

==986==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000001940 at pc 0x0001174a9d0b bp 0x7ff7b559e5b0 sp 0x7ff7b559e5a8
READ of size 4 at 0x617000001940 thread T0
    #0 0x1174a9d0a in JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd()+0xd5a (JavaScriptCore:x86_64+0x51fdd0a) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #1 0x11749c306 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseTokens()+0x736 (JavaScriptCore:x86_64+0x51f0306) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #2 0x11749b4f4 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parse()+0x44 (JavaScriptCore:x86_64+0x51ef4f4) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #3 0x1172ccc19 in JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, WTF::StringView, bool, unsigned int, bool)+0x2f9 (JavaScriptCore:x86_64+0x5020c19) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #4 0x1172cc3e6 in JSC::Yarr::YarrPattern::compile(WTF::StringView)+0x136 (JavaScriptCore:x86_64+0x50203e6) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #5 0x1172cec5e in JSC::Yarr::YarrPattern::YarrPattern(WTF::StringView, WTF::OptionSet<JSC::Yarr::Flags>, JSC::Yarr::ErrorCode&)+0x10e (JavaScriptCore:x86_64+0x5022c5e) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #6 0x1167b6362 in JSC::RegExp::finishCreation(JSC::VM&)+0x162 (JavaScriptCore:x86_64+0x450a362) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #7 0x1167b6e1f in JSC::RegExp::createWithoutCaching(JSC::VM&, WTF::String const&, WTF::OptionSet<JSC::Yarr::Flags>)+0x30f (JavaScriptCore:x86_64+0x450ae1f) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #8 0x1167b727a in JSC::RegExpCache::lookupOrCreate(WTF::String const&, WTF::OptionSet<JSC::Yarr::Flags>)+0x1fa (JavaScriptCore:x86_64+0x450b27a) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
    #9 0x1140a84de in JSC::RegExpNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)+0x21e (JavaScriptCore:x86_64+0x1dfc4de) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00)
[tag] [reply] [−] Comment 1
Comment 1 Michael Saboff 2023-01-31 07:06:22 PST 
<rdar://104652578>
Comment 2 Michael Saboff 2023-01-31 09:28:29 PST 
Pull request: https://github.com/WebKit/WebKit/pull/9385
Comment 3 EWS 2023-01-31 18:53:10 PST 
Committed 259657@main (561d0e5534c8): <https://commits.webkit.org/259657@main>

Reviewed commits have been landed. Closing PR #9385 and removing active labels.