WTF::BitSet<2048ul, unsigned long>::set(unsigned long) Out-of-Bounds

[usr1224]

Credit : Sunghoon Jang, Jeonil Ji

Escargot

• OS: Ubuntu 18.04

Describe the bug
Out-of-Bounds write

Test case
Test code to reproduce the behavior:
set.txt
rename .txt -> .js before use

Backtrace

Analysis

third_party/yarr/BitSet.h

• A SIGABRT occurred in this code.

• After building Escargot in debug mode, I confirmed that an out-of-bounds (OOB) write occurred while accessing index 67108737.

third_party/yarr/BitSet.h

• The result of n / wordSize is 67108737, leading to OOB access at bits[67108737].
  • 67108737 = 0x3ffff81
• To check the value of n, I examined backtrace#1, where the set() function is called.

third_party/yarr/YarrPattern.cpp

• I confirmed that the set() function uses ch - chunkLo as an argument.

• The value of n = ch - chunkLo
• A negative value (0xffffe055) was passed to n.

third_party/yarr/BitSet.h:150 asm

• I confirmed that the argument values are being pushed onto the stack inside the set function.
• The value of n (0xffffe055) is stored at rbp-0x10.

third_party/yarr/BitSet.h

• I verified that n / wordSize is being used as the index of bits.

• Since wordSize = 2^6, it performs a shr 6 operation internally.

• The value of rax contains n (0xffffe055).
• After the n / wordSize operation, the result 0x3ffff81 is stored in rdx.
• Then, an attempt is made to access bits[0x3ffff81], resulting in the OOB.

---

Credit : Sunghoon Jang, Jeonil Ji