Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Segmentation Fault in njs_scope_valid_value #833

Open
2 tasks done
famasoon opened this issue Dec 25, 2024 · 0 comments
Open
2 tasks done

[Bug] Segmentation Fault in njs_scope_valid_value #833

famasoon opened this issue Dec 25, 2024 · 0 comments
Labels
bug

Comments

@famasoon
Copy link

Describe the bug

  • The bug is reproducible with the latest version of njs.
  • I minimized the code and NGINX configuration to the smallest
    possible to reproduce the issue.

To reproduce

./njs ./poc3.js
  • JS script
async function f0(a1) {
  let v2;
  try { v2 = a1.m(f0); } catch (e) {}
  await v2;
  const v4 = [f0,f0,f0];
  function f5() {
      return v4;
  }
  function f10() {
      return f5 < v4;
  }
  f5(v2, v2, f5, v4);
  return v4;
}
f0();

GDB log

$ gdb -nx -q -batch -ex "run ./poc3.js" -ex "bt" ./njs 2>&1       
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
njs_scope_valid_value (index=16, vm=0x5555556404c0) at src/njs_scope.h:94
warning: Source file is more recent than executable.
94          if (!njs_is_valid(value)) {
#0  njs_scope_valid_value (index=16, vm=0x5555556404c0) at src/njs_scope.h:94
#1  njs_vmcode_interpreter (vm=vm@entry=0x5555556404c0, pc=0x55555565f280 "\tZZZZZZZ\020", rval=rval@entry=0x555555660db8, promise_cap=promise_cap@entry=0x0, async_ctx=async_ctx@entry=0x0) at src/njs_vmcode.c:1354
#2  0x00005555555b1151 in njs_function_lambda_call (vm=vm@entry=0x5555556404c0, retval=0x555555660db8, promise_cap=promise_cap@entry=0x0) at src/njs_function.c:610
#3  0x00005555555b11a8 in njs_function_frame_invoke (vm=vm@entry=0x5555556404c0, retval=<optimized out>) at src/njs_function.c:686
#4  0x0000555555579e2e in njs_vmcode_interpreter (vm=vm@entry=0x5555556404c0, pc=0x555555661cb8 "\r", rval=rval@entry=0x7fffffffd610, promise_cap=0x55555565c5c0, async_ctx=async_ctx@entry=0x555555645c60) at src/njs_vmcode.c:1451
#5  0x00005555555c3092 in njs_await_fulfilled (vm=0x5555556404c0, args=<optimized out>, nargs=<optimized out>, exception=<optimized out>, retval=0x7fffffffd6c0) at src/njs_async.c:91
#6  0x00005555555b11cd in njs_function_native_call (retval=0x55555564fbf0, vm=0x5555556404c0) at src/njs_function.c:647
#7  njs_function_frame_invoke (vm=vm@entry=0x5555556404c0, retval=retval@entry=0x7fffffffd6c0) at src/njs_function.c:683
#8  0x00005555555b1225 in njs_function_call2 (vm=vm@entry=0x5555556404c0, function=<optimized out>, this=<optimized out>, args=<optimized out>, nargs=nargs@entry=1, retval=retval@entry=0x7fffffffd6c0, ctor=0) at src/njs_function.c:515
#9  0x00005555555bf52a in njs_function_call (retval=0x7fffffffd6c0, nargs=1, args=<optimized out>, this=<optimized out>, function=<optimized out>, vm=0x5555556404c0) at src/njs_function.h:164
#10 njs_promise_reaction_job (vm=0x5555556404c0, args=<optimized out>, nargs=<optimized out>, unused=<optimized out>, retval=0x7fffffffd740) at src/njs_promise.c:1089
#11 0x00005555555b11cd in njs_function_native_call (retval=0x55555564fb70, vm=0x5555556404c0) at src/njs_function.c:647
#12 njs_function_frame_invoke (vm=vm@entry=0x5555556404c0, retval=retval@entry=0x7fffffffd740) at src/njs_function.c:683
#13 0x0000555555570fab in njs_vm_invoke (vm=0x5555556404c0, function=<optimized out>, args=<optimized out>, nargs=<optimized out>, retval=retval@entry=0x7fffffffd740) at src/njs_vm.c:630
#14 0x0000555555570fec in njs_vm_call (vm=<optimized out>, function=<optimized out>, args=<optimized out>, nargs=<optimized out>) at src/njs_vm.c:614
#15 0x00005555555711a3 in njs_vm_execute_pending_job (vm=<optimized out>) at src/njs_vm.c:721
#16 0x000055555556a72a in njs_engine_njs_execute_pending_job (engine=<optimized out>) at external/njs_shell.c:1398
#17 0x000055555556932f in njs_process_script (engine=engine@entry=0x55555563e380, console=console@entry=0x55555562ba00 <njs_console>, script=script@entry=0x7fffffffd7d0) at external/njs_shell.c:3358
#18 0x000055555556bd5b in njs_process_file (opts=0x7fffffffd7e0) at external/njs_shell.c:3318
#19 njs_main (opts=0x7fffffffd7e0) at external/njs_shell.c:458
#20 main (argc=<optimized out>, argv=<optimized out>) at external/njs_shell.c:488

Expected behavior

Not segmentation fault

Your environment

  • Version of njs or specific commit: commit 1f8f9992d03e2865f354da3415f8a49931cf2fe8 (HEAD -> master, origin/master, origin/HEAD)
  • OS: Linux user-desktop 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Additional context

This is memory bug, so it is not vuln
@famasoon famasoon added the bug label Dec 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@famasoon