Bug 212460

Summary: fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) in jsc.cpp
Product: WebKit Reporter: v.owl337
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: ap
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
poc.js none

Description v.owl337 2020-05-28 05:01:15 PDT 
Created attachment 400443 [details]
poc.js

Description of problem:

The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948


How reproducible:

./jsc poc.js

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff2465801 in __GI_abort () at abort.c:79
#2  0x00005555555d5f61 in WTF::VectorBufferBase<char, WTF::FastMalloc>::allocateBuffer (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:289
#3  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:1190
#4  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity (this=0x7fffffb1dc70, 
    newMinCapacity=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1048
#5  0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::resize (size=9223372036854775807, 
    this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1099
#6  fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) at ../../Source/JavaScriptCore/jsc.cpp:948
#7  fillBufferWithContentsOfFile (fileName=..., buffer=...) at ../../Source/JavaScriptCore/jsc.cpp:961
#8  0x00005555555fc785 in fetchScriptFromLocalFileSystem (buffer=..., fileName=...) at ../../Source/JavaScriptCore/jsc.cpp:969
#9  functionRun (globalObject=0x7fffaedfab68, callFrame=0x7fffffb1dd00) at ../../Source/JavaScriptCore/jsc.cpp:1473



The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948

 937 static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer)
 938 {
 939     // We might have injected "use strict"; at the top.
 940     size_t initialSize = buffer.size();
 941     if (fseek(file, 0, SEEK_END) == -1)
 942         return false;
 943     long bufferCapacity = ftell(file);
 944     if (bufferCapacity == -1)
 945         return false;
 946     if (fseek(file, 0, SEEK_SET) == -1)
 947         return false;
 948     buffer.resize(bufferCapacity + initialSize);
 949     size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file);
 950     return readSize == buffer.size() - initialSize;
 951 }



Additional info:

This vulnerability is detected by chong from OWL337
Comment 1 Alexey Proskuryakov 2020-06-01 18:06:51 PDT 
> #5  0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul,
> WTF::FastMalloc>::resize (size=9223372036854775807, 
>     this=0x7fffffb1dc70) at
> DerivedSources/ForwardingHeaders/wtf/Vector.h:1099

This is 0x7FFFFFFFFFFFFFFF. A quick web search suggests that ftell returns this value on Linux for directories. Perhaps there are other cases when this happens.

The problem is not with this function, but somewhere else. Resolving for now since this is unreproducible and not actionable. Please feel free to re-open if you find out what went wrong and made ftell fail.