Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibJS: Proxy Object Overflow #23993

Open
sSt3lla opened this issue Apr 17, 2024 · 0 comments
Open

LibJS: Proxy Object Overflow #23993

sSt3lla opened this issue Apr 17, 2024 · 0 comments
Labels
bug Something isn't working has-repro We have a way to reproduce this bug.

Comments

@sSt3lla
Copy link
Contributor

sSt3lla commented Apr 17, 2024

Found with Fuzzillli
Initial crash
program_20240409121357_B4CA4B4F-CC19-4625-89C0-E913E00C270F_flaky.js.txt
Minified:

function F() {
	constructor = this.constructor;
	originalPrototype = Object.getPrototypeOf(this.constructor);
	newPrototype = new Proxy(originalPrototype, {});
	Object.setPrototypeOf(constructor, newPrototype);
	try { new constructor(); } catch (e) {}
}

class C extends F{}

proxyC = new Proxy(C, {});
new proxyC();

Asan output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==67765==ERROR: AddressSanitizer: stack-overflow on address 0x7fff1635af98 (pc 0x0000004cc3db bp 0x7fff1635b7d0 sp 0x7fff1635afa0 T0)
    #0 0x4cc3db in __asan_memset (/home/serenity/Build/lagom/bin/js+0x4cc3db) (BuildId: 498c30ee301d0e17992f957d4298c6ec2fca6aa3)
    #1 0x7f075c370ea2 in AK::Optional<JS::PropertyMetadata>::Optional() /home/serenity/Meta/Lagom/../../AK/Optional.h:323:10
    #2 0x7f075c370ea2 in JS::Shape::lookup(JS::StringOrSymbol const&) const /home/serenity/Userland/Libraries/LibJS/Runtime/Shape.cpp
    #3 0x7f075c1da4f2 in JS::Object::storage_get(JS::PropertyKey const&) const /home/serenity/Userland/Libraries/LibJS/Runtime/Object.cpp:1139:33
    #4 0x7f075c1d9b12 in JS::Object::internal_get_own_property(JS::PropertyKey const&) const /home/serenity/Userland/Libraries/LibJS/Runtime/Object.cpp:793:32
    #5 0x7f075c1de111 in JS::Object::internal_get(JS::PropertyKey const&, JS::Value, JS::CacheablePropertyMetadata*) const /home/serenity/Userland/Libraries/LibJS/Runtime/Object.cpp:884:23
    #6 0x7f075c1ded46 in JS::Object::internal_get(JS::PropertyKey const&, JS::Value, JS::CacheablePropertyMetadata*) const /home/serenity/Userland/Libraries/LibJS/Runtime/Object.cpp:896:24
    #7 0x7f075c8bf6de in JS::Value::get(JS::VM&, JS::PropertyKey const&) const /home/serenity/Userland/Libraries/LibJS/Runtime/Value.cpp:1215:12
    #8 0x7f075c8af2d6 in JS::Value::get_method(JS::VM&, JS::PropertyKey const&) const /home/serenity/Userland/Libraries/LibJS/Runtime/Value.cpp:1225:21
    #9 0x7f075c2b2ecf in JS::ProxyObject::internal_construct(AK::Span<JS::Value const>, JS::FunctionObject&) /home/serenity/Userland/Libraries/LibJS/Runtime/ProxyObject.cpp:840:17
    #10 0x7f075bc622f5 in JS::construct_impl(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:85:21
    #11 0x7f075c2b339d in JS::construct(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:137:12
    #12 0x7f075c2b339d in JS::ProxyObject::internal_construct(AK::Span<JS::Value const>, JS::FunctionObject&) /home/serenity/Userland/Libraries/LibJS/Runtime/ProxyObject.cpp:845:16
    #13 0x7f075bc622f5 in JS::construct_impl(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:85:21
    #14 0x7f075c2b339d in JS::construct(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:137:12
    #15 0x7f075c2b339d in JS::ProxyObject::internal_construct(AK::Span<JS::Value const>, JS::FunctionObject&) /home/serenity/Userland/Libraries/LibJS/Runtime/ProxyObject.cpp:845:16
    #16 0x7f075bc622f5 in JS::construct_impl(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:85:21
    #17 0x7f075c2b339d in JS::construct(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:137:12
    #18 0x7f075c2b339d in JS::ProxyObject::internal_construct(AK::Span<JS::Value const>, JS::FunctionObject&) /home/serenity/Userland/Libraries/LibJS/Runtime/ProxyObject.cpp:845:16
    #19 0x7f075bc622f5 in JS::construct_impl(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:85:21
    #20 0x7f075c2b339d in JS::construct(JS::VM&, JS::FunctionObject&, AK::Span<JS::Value const>, JS::FunctionObject*) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h
    --- repeats

asan.txt
@Lubrsi Lubrsi added bug Something isn't working has-repro We have a way to reproduce this bug. labels Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has-repro We have a way to reproduce this bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lubrsi @sSt3lla