Skip to content

Stack buffer overflow in deps/icu-small/source/common/uresbund.cpp:205:9 #45297

Open
Open
Stack buffer overflow in deps/icu-small/source/common/uresbund.cpp:205:9#45297
@kobrineli

Description

@kobrineli
kobrineli
opened on Nov 3, 2022

Hi! We've been fuzzing nodejs using sydr-fuzz and targets for https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs made by @stasos24.
We have updated nodejs to main branch and the bug from #45284 wasn't reproduced, but we discovered the new one with the same input, so we open a new issue.

Work environment

OS: Ubuntu 20.04
nodejs version: main 86088ab

Bug description

Stack buffer overflow in deps/icu-small/source/common/uresbund.cpp:205:9.

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs:

     sudo docker build -t oss-sydr-fuzz-nodejs .

  2. Run docker container:

     sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-nodejs /bin/bash

  3. Execute sanitizers built target with input that leads to crash ():

     /v8_compile_afl < crash-c3fbe25a7f8f3d8aced6fa547461bd5b6b4b3df8

  4. You will see the following ouput:

     =================================================================
 ==70==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff71f2edbf at pc 0x00000205b30b bp 0x7fff71f2e3f0 sp 0x7fff71f2e3e8
 READ of size 1 at 0x7fff71f2edbf thread T0
     #0 0x205b30a in getParentLocaleID(char*, char const*, UResOpenType) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:205:9
     #1 0x205b30a in findFirstExisting(char const*, char*, char const*, UResOpenType, signed char*, signed char*, signed char*, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:696:28
     #2 0x204e380 in entryOpen(char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:851:9
     #3 0x204e380 in ures_openWithType(UResourceBundle*, char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:2665:17
     #4 0x41e1889 in icu_72::Calendar::setWeekData(icu_72::Locale const&, char const*, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:3932:41
     #5 0x4098b08 in icu_72::GregorianCalendar::GregorianCalendar(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/gregocal.cpp:188:5
     #6 0x41e01b4 in icu_72::createStandardCalendar(ECalType, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:342:51
     #7 0x41e01b4 in icu_72::Calendar::makeInstance(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:911:13
     #8 0x41df5ae in icu_72::LocaleCacheKey<icu_72::SharedCalendar>::createObject(void const*, UErrorCode&) const /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:216:26
     #9 0x52421ab in icu_72::UnifiedCache::_get(icu_72::CacheKeyBase const&, icu_72::SharedObject const*&, void const*, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.cpp:394:17
     #10 0x41e37ce in void icu_72::UnifiedCache::get<icu_72::SharedCalendar>(icu_72::CacheKey<icu_72::SharedCalendar> const&, void const*, icu_72::SharedCalendar const*&, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:234:8
     #11 0x41e37ce in void icu_72::UnifiedCache::get<icu_72::SharedCalendar>(icu_72::CacheKey<icu_72::SharedCalendar> const&, icu_72::SharedCalendar const*&, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:206:8
     #12 0x41e37ce in void icu_72::UnifiedCache::getByLocale<icu_72::SharedCalendar>(icu_72::Locale const&, icu_72::SharedCalendar const*&, UErrorCode&) /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:274:15
     #13 0x41e37ce in icu_72::Calendar::createInstance(icu_72::TimeZone*, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:999:5
     #14 0x412ba62 in icu_72::SimpleDateFormat::initializeCalendar(icu_72::TimeZone*, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:950:21
     #15 0x412ba62 in icu_72::SimpleDateFormat::construct(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:696:5
     #16 0x4134b89 in icu_72::SimpleDateFormat::SimpleDateFormat(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:508:5
     #17 0x437c8bf in icu_72::DateFormat::create(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&) /node_afl/out/../deps/icu-small/source/i18n/datefmt.cpp:529:31
     #18 0x40dbe9b in icu_72::DateTimePatternGenerator::addICUPatterns(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:819:14
     #19 0x40d4fe0 in icu_72::DateTimePatternGenerator::initData(icu_72::Locale const&, UErrorCode&, signed char) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:516:9
     #20 0x40d055a in icu_72::DateTimePatternGenerator::createInstance(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:309:17
     #21 0x35726c7 in v8::internal::(anonymous namespace)::DateTimePatternGeneratorCache::CreateGenerator(v8::internal::Isolate*, icu_72::Locale const&) /node_afl/out/../deps/v8/src/objects/js-date-time-format.cc:2177:16
     #22 0x356c330 in v8::internal::JSDateTimeFormat::New(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, char const*) /node_afl/out/../deps/v8/src/objects/js-date-time-format.cc:2339:34
     #23 0x323b0b5 in v8::internal::Object v8::internal::(anonymous namespace)::LegacyFormatConstructor<v8::internal::JSDateTimeFormat>(v8::internal::BuiltinArguments, v8::internal::Isolate*, v8::Isolate::UseCounterFeature, v8::internal::Handle<v8::internal::Object>, char const*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:243:3
     #24 0x323b0b5 in v8::internal::Builtin_Impl_DateTimeFormatConstructor(v8::internal::BuiltinArguments, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:514:10
     #25 0x323b0b5 in v8::internal::Builtin_DateTimeFormatConstructor(int, unsigned long*, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:511:1
     #26 0x1e8f438 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit out/Release/obj.target/v8_snapshot/geni/embedded.o
 
 Address 0x7fff71f2edbf is located in stack of thread T0 at offset 383 in frame
     #0 0x204de4f in ures_openWithType(UResourceBundle*, char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:2651
 
   This frame has 9 object(s):
     [32, 40) 't1.i141' (line 994)
     [64, 221) 'name.i142' (line 998)
     [288, 292) 'intStatus.i' (line 812)
     [304, 312) 't1.i' (line 814)
     [336, 337) 'isDefault.i' (line 815)
     [352, 353) 'isRoot.i' (line 816)
     [368, 369) 'hasChopped.i' (line 818)
     [384, 541) 'name.i' (line 821) <== Memory access at offset 383 underflows this variable
     [608, 765) 'canonLocaleID' (line 2659)
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
       (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:205:9 in getParentLocaleID(char*, char const*, UResOpenType)
 Shadow bytes around the buggy address:
   0x10006e3ddd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x10006e3ddd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x10006e3ddd80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
   0x10006e3ddd90: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   0x10006e3ddda0: f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 04 f2 00 f2
 =>0x10006e3dddb0: f2 f2 01 f2 01 f2 01[f2]00 00 00 00 00 00 00 00
   0x10006e3dddc0: 00 00 00 00 00 00 00 00 00 00 00 05 f2 f2 f2 f2
   0x10006e3dddd0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
   0x10006e3ddde0: 00 00 00 00 00 00 00 05 f3 f3 f3 f3 f3 f3 f3 f3
   0x10006e3dddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x10006e3dde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07 
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==70==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions