SEGV at njs/src/njs_vmcode.c:1977:10 in njs_vmcode_function_copy

[gandalf4a]

version:

$ git show
commit 3ac496802862347c5cf8f0b6e3825163dc7bb1c9 (HEAD -> master, origin/master, origin/HEAD)
Author: Dmitry Volyntsev <[[email protected]](mailto:[email protected])>
Date:   Thu Jul 25 17:28:37 2024 -0700

    Tests: adapting unsafe redirect test for QuickJS.
    
    At the moment QuickJS has no API for getting strings
    with NUL characters in the middle of the string.
    
    Instead of a NUL byte make another unsafe redirect URI.

system:

$ uname -a
Linux gandalf-ThinkPad-T14-Gen-3 6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Reproduce

njs/build/njs_fuzzilli poc_file

pocfile.js

async function f0(a1, a2) {
    const v3 = await a1;
    function f4() {
        f4();
        return v3;
    }
    f4();
    function f7() {
        return f4();
    }
    return f0;
}
f0();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=njs --storagePath=Targets/njs/out /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli --resume
// TARGET ARGS: /home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli fuzz
// CONTRIBUTORS: CodeGenMutator, ApiFunctionCallGenerator, FunctionCallGenerator, SpliceMutator, IntegerGenerator, TypedArrayGenerator
// EXECUTION TIME: 1ms

asan report

/home/gandalf/fuzzilli/Targets/njs/out/crashes/program_20240814032124_A5D38E35-F8D2-4E40-9995-1CD069FBF6BC_deterministic.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3726454==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x598505a6d4b8 bp 0x5985070a4098 sp 0x7ffeda6f7710 T3726454)
==3726454==The signal is caused by a READ memory access.
==3726454==Hint: address points to the zero page.
    #0 0x598505a6d4b8 in njs_vmcode_function_copy /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1977:10
    #1 0x598505a6d4b8 in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1366:15
    #2 0x598505acd138 in njs_function_lambda_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:610:11
    #3 0x598505accbb3 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:686:16
    #4 0x598505a6ddaa in njs_vmcode_interpreter /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1451:15
    #5 0x598505ae8b54 in njs_await_fulfilled /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_async.c:91:11
    #6 0x598505accb40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #7 0x598505accb40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #8 0x598505accac7 in njs_function_call2 /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:515:12
    #9 0x598505ae3e90 in njs_function_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.h:164:12
    #10 0x598505ae3e90 in njs_promise_reaction_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_promise.c:1098:15
    #11 0x598505accb40 in njs_function_native_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:647:11
    #12 0x598505accb40 in njs_function_frame_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_function.c:683:16
    #13 0x598505a5e74d in njs_vm_invoke /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:599:12
    #14 0x598505a5e74d in njs_vm_call /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:583:12
    #15 0x598505a5e74d in njs_vm_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vm.c:690:11
    #16 0x598505a548a7 in njs_engine_njs_execute_pending_job /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:1399:12
    #17 0x598505a53b4d in njs_process_script /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3541:19
    #18 0x598505a538a4 in njs_process_file /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli_shell.c:3501:11
    #19 0x598505a52ecf in main /home/gandalf/fuzzilli/Targets/njs/njs/external/njs_fuzzilli.c:149:18
    #20 0x7837b2629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #21 0x7837b2629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #22 0x598505a29324 in _start (/home/gandalf/fuzzilli/Targets/njs/njs/build/njs_fuzzilli+0x18324) (BuildId: 3d2f757dce7d42751a15759500ec6c91c5f77630)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/gandalf/fuzzilli/Targets/njs/njs/src/njs_vmcode.c:1977:10 in njs_vmcode_function_copy
==3726454==ABORTING

Credit

Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy