[Bug] Segmentation Fault (NULL Pointer Dereference) in parser_parse_function_statement #5274
Description
Description
We discovered a Segmentation Fault vulnerability in JerryScript. The crash occurs within parser_parse_function_statement when parsing a specific structure inside a class static block.
The ASAN report indicates a READ memory access violation at address 0x000000000008, which strongly suggests a NULL Pointer Dereference (accessing a member at offset 0x8 from a NULL pointer).
Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
Vulnerability Details
- Target: JerryScript
- Vulnerability Type: Segmentation Fault (NULL Pointer Dereference)
- Function: parser_parse_function_statement
- Location: jerry-core/parser/js/js-parser-statm.c:646
- Root Cause Analysis: The crash happens during the parsing of a class static block: parser_parse_class -> parser_parse_class_body -> parser_parse_class_static_block -> parser_parse_statements -> parser_parse_function_statement.
The ASAN error SEGV on unknown address 0x000000000008 suggests that parser_parse_function_statement is trying to access a field of a structure pointer that is NULL. Given the context (parsing a function statement inside a static block), it is likely that the parser expects a valid function context or identifier pointer which has not been correctly initialized or found in this specific nested scope.
Reproduce
- Build jerryscript with Release optimization and ASAN enabled.
- Run with the crashing file repro:
./harness repro
ASAN report
==62627==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x556824fdc634 bp 0x7ffeeb828830 sp 0x7ffeeb828780 T0)
==62627==The signal is caused by a READ memory access.
==62627==Hint: address points to the zero page.
#0 0x556824fdc634 in parser_parse_function_statement /src/jerryscript/jerry-core/parser/js/js-parser-statm.c:646:39
#1 0x556824fcc16e in parser_parse_statements /src/jerryscript/jerry-core/parser/js/js-parser-statm.c:2809:9
#2 0x556824ffde4e in parser_parse_class_static_block /src/jerryscript/jerry-core/parser/js/js-parser.c:2758:3
#3 0x556824f98226 in parser_parse_class_body /src/jerryscript/jerry-core/parser/js/js-parser-expr.c:846:13
#4 0x556824f98226 in parser_parse_class /src/jerryscript/jerry-core/parser/js/js-parser-expr.c:1137:27
#5 0x556824fcc13b in parser_parse_statements /src/jerryscript/jerry-core/parser/js/js-parser-statm.c:2787:9
#6 0x556825008422 in parser_parse_source /src/jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#7 0x556824d7713b in parser_parse_script /src/jerryscript/jerry-core/parser/js/js-parser.c:3332:38
#8 0x556824d7713b in jerry_parse_common /src/jerryscript/jerry-core/api/jerryscript.c:413:21
#9 0x556824d76f97 in jerry_parse /src/jerryscript/jerry-core/api/jerryscript.c:481:10
#10 0x55682509e1f4 in jerryx_source_parse_script /src/jerryscript/jerry-ext/util/sources.c:52:26
#11 0x55682509e3c7 in jerryx_source_exec_script /src/jerryscript/jerry-ext/util/sources.c:63:26
#12 0x556824d67cbd in main /src/jerryscript/jerry-main/main-desktop.c:156:20
#13 0x7fa32d49b1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#14 0x7fa32d49b28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x556824c85e64 in _start (/src/jerryscript/build_afl/bin/jerry+0x5ce64) (BuildId: 3074c3b9518ca6ea5b659c5ce8afad1222e1cf7b)
==62627==Register values:
rax = 0x0000000000000008 rbx = 0x00007ffeeb828780 rcx = 0x00007ffeeb829b18 rdx = 0x00000fffdd705363
rdi = 0x0000000000000000 rsi = 0x0000000000000002 rbp = 0x00007ffeeb828830 rsp = 0x00007ffeeb828780
r8 = 0x00007ffeeb8299a0 r9 = 0x00007ffeeb829b60 r10 = 0x00007ffeeb829b98 r11 = 0x000000000000005c
r12 = 0x00000fffdd705366 r13 = 0x0000000000000000 r14 = 0x00007ffeeb829b30 r15 = 0x00007fa32b902700
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/jerryscript/jerry-core/parser/js/js-parser-statm.c:646:39 in parser_parse_function_statement
==62627==ABORTING