Bug 212460 - fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) in jsc.cpp
Summary: fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x55555563...
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-28 05:01 PDT by v.owl337
Modified: 2020-06-01 18:06 PDT (History)
1 user (show)

See Also:

Attachments
poc.js (179 bytes, text/javascript)
2020-05-28 05:01 PDT, v.owl337 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description v.owl337 2020-05-28 05:01:15 PDT 
Created attachment 400443 [details]
poc.js

Description of problem:

The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948


How reproducible:

./jsc poc.js

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff2465801 in __GI_abort () at abort.c:79
#2  0x00005555555d5f61 in WTF::VectorBufferBase<char, WTF::FastMalloc>::allocateBuffer (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:289
#3  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:1190
#4  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity (this=0x7fffffb1dc70, 
    newMinCapacity=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1048
#5  0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::resize (size=9223372036854775807, 
    this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1099
#6  fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) at ../../Source/JavaScriptCore/jsc.cpp:948
#7  fillBufferWithContentsOfFile (fileName=..., buffer=...) at ../../Source/JavaScriptCore/jsc.cpp:961
#8  0x00005555555fc785 in fetchScriptFromLocalFileSystem (buffer=..., fileName=...) at ../../Source/JavaScriptCore/jsc.cpp:969
#9  functionRun (globalObject=0x7fffaedfab68, callFrame=0x7fffffb1dd00) at ../../Source/JavaScriptCore/jsc.cpp:1473



The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948

 937 static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer)
 938 {
 939     // We might have injected "use strict"; at the top.
 940     size_t initialSize = buffer.size();
 941     if (fseek(file, 0, SEEK_END) == -1)
 942         return false;
 943     long bufferCapacity = ftell(file);
 944     if (bufferCapacity == -1)
 945         return false;
 946     if (fseek(file, 0, SEEK_SET) == -1)
 947         return false;
 948     buffer.resize(bufferCapacity + initialSize);
 949     size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file);
 950     return readSize == buffer.size() - initialSize;
 951 }



Additional info:

This vulnerability is detected by chong from OWL337
Comment 1 Alexey Proskuryakov 2020-06-01 18:06:51 PDT 
> #5  0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul,
> WTF::FastMalloc>::resize (size=9223372036854775807, 
>     this=0x7fffffb1dc70) at
> DerivedSources/ForwardingHeaders/wtf/Vector.h:1099

This is 0x7FFFFFFFFFFFFFFF. A quick web search suggests that ftell returns this value on Linux for directories. Perhaps there are other cases when this happens.

The problem is not with this function, but somewhere else. Resolving for now since this is unreproducible and not actionable. Please feel free to re-open if you find out what went wrong and made ftell fail.