Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null dereference in deps/v8/src/objects/js-segments.cc:33:46 #45283

Closed
kobrineli opened this issue Nov 2, 2022 · 3 comments
Closed

Null dereference in deps/v8/src/objects/js-segments.cc:33:46 #45283

kobrineli opened this issue Nov 2, 2022 · 3 comments

Comments

@kobrineli
Copy link

kobrineli commented Nov 2, 2022

Hi! We've been fuzzing nodejs using sydr-fuzz and targets for https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs made by @stasos24.

Work environment

OS: Ubuntu 20.04
nodejs version: v16.x 7051ba4

Bug description

Null dereference in deps/v8/src/objects/js-segments.cc:33:46.

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs:

     sudo docker build -t oss-sydr-fuzz-nodejs .
    
  2. Run docker container:

     sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-nodejs /bin/bash
    
  3. Execute sanitizers built target with input that leads to crash (crash-60e742070198c42e30e6b26ec3d967fbfd088ead.txt
    ):

     /v8_compile_afl < crash-60e742070198c42e30e6b26ec3d967fbfd088ead.txt
    
  4. You will see the following ouput:

     AddressSanitizer:DEADLYSIGNAL
     =================================================================
     ==30==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002df857f bp 0x7ffd3b43b3d0 sp 0x7ffd3b43b280 T0)
     ==30==The signal is caused by a READ memory access.
     ==30==Hint: address points to the zero page.
         #0 0x2df857f in v8::internal::JSSegments::Create(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSSegmenter>, v8::internal::Handle<v8::internal::String>) /node_afl/out/../deps/v8/src/objects/js-segments.cc:33:46
         #1 0x2d64a2a in v8::internal::Builtin_Impl_SegmenterPrototypeSegment(v8::internal::BuiltinArguments, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:1058:3
        #2 0x2d64a2a in v8::internal::Builtin_SegmenterPrototypeSegment(int, unsigned long*, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:1048:1
        #3 0x1c04898 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit out/Release/obj.target/v8_snapshot/geni/embedded.o
    
     AddressSanitizer can not provide additional info.
     SUMMARY: AddressSanitizer: SEGV /node_afl/out/../deps/v8/src/objects/js-segments.cc:33:46 in v8::internal::JSSegments::Create(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSSegmenter>, v8::internal::Handle<v8::internal::String>)
     ==30==ABORTING
    
@targos
Copy link
Member

targos commented Nov 2, 2022

Is this reproducible in Node.js 19/main branch ?

@kobrineli
Copy link
Author

@targos
Just checked on the main branch. It is reproducible.

@kobrineli
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants