Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of Uninitialized Memory Detected in bytecode_builtins_list_generator by MemorySanitizer #50171

Closed
khagankhan opened this issue Oct 13, 2023 · 1 comment
Labels
v8 engine Issues and PRs related to the V8 dependency. wrong repo Issues that should be opened in another repository.

Comments

@khagankhan
Copy link

khagankhan commented Oct 13, 2023

Version

v20.6.1 (I was trying to build the last version)

Platform

x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Memory Sanitizer found the issue with AFL++.

Download and configure AFL++. You can use this script:

    git clone https://github.com/AFLplusplus/AFLplusplus 
    cd AFLplusplus
    make all
    sudo make install
    sudo apt-get install gcc-11-plugin-dev
    sudo make
    sudo cp afl-gcc-fast /usr/bin
    sudo cp afl-gcc-fast /usr/local/bin
    sudo cp afl-g++-fast /usr/local/bin
    sudo cp afl-g++-fast /usr/bin
    sudo cp afl-gcc-pass.so /usr/local/lib/afl

Then download node. After running ./configure and python3 configure run the following script. You will observe it.

#!/bin/bash
export AFL_USE_MSAN=1
export AFL_USE_UBSAN=1

# Set compiler options for make
export CC="/usr/local/bin/afl-clang-fast -fsanitize=memory,undefined -g"
export CXX="/usr/local/bin/afl-clang-fast++ -fsanitize=memory,undefined -g"
make -j$(nproc)

How often does it reproduce? Is there a required condition?

It was not my primary intention to find that issue. I wanted to fuzz node for deeper bugs. But it does not allow us to even build it.

What is the expected behavior? Why is that the expected behavior?

All memory passed to the writev function (or any other function) should be properly initialized before use. When the bytecode_builtins_list_generator binary is executed, it should perform its operations without accessing uninitialized memory, ensuring consistent and predictable behavior.

What do you see instead?

Uninitialized bytes in read_iovec at offset 0 inside [0x724000000000, 8157)
==96653==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55ff1e4e39a4 in writev (/root/wasmoi/fuzz/node/out/Release/bytecode_builtins_list_generator+0x7b9a4) (BuildId: 03769851967f1035cfcd85bf0341cdac04178ac6)
    #1 0x7f84bb7c0d91 in std::__basic_file<char>::xsputn_2(char const*, long, char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0d91) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x7f84bb803d26 in std::basic_filebuf<char, std::char_traits<char> >::xsputn(char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x113d26) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #3 0x7f84bb82cb64 in std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x13cb64) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #4 0x55ff1e531c15 in std::basic_ostream<char, std::char_traits<char> >& std::operator<<<std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ostream:616:2
    #5 0x55ff1e531c15 in v8::internal::interpreter::WriteBytecode(std::basic_ofstream<char, std::char_traits<char> >&, v8::internal::interpreter::Bytecode, v8::internal::interpreter::OperandScale, int*, int*, int) /root/wasmoi/fuzz/node/out/../deps/v8/src/builtins/generate-bytecodes-builtins-list.cc:31:32
    #6 0x55ff1e533712 in v8::internal::interpreter::WriteHeader(char const*) /root/wasmoi/fuzz/node/out/../deps/v8/src/builtins/generate-bytecodes-builtins-list.cc:64:3
    #7 0x55ff1e53c8f1 in main /root/wasmoi/fuzz/node/out/../deps/v8/src/builtins/generate-bytecodes-builtins-list.cc:115:3
    #8 0x7f84bb3ead8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f84bb3eae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x55ff1e4a9794 in _start (/root/wasmoi/fuzz/node/out/Release/bytecode_builtins_list_generator+0x41794) (BuildId: 03769851967f1035cfcd85bf0341cdac04178ac6)

SUMMARY: MemorySanitizer: use-of-uninitialized-value (/root/wasmoi/fuzz/node/out/Release/bytecode_builtins_list_generator+0x7b9a4) (BuildId: 03769851967f1035cfcd85bf0341cdac04178ac6) in writev

Additional information

No response

@bnoordhuis
Copy link
Member

As you can probably tell by the stack trace, that's inside V8, a third-party dependency. Please report it over there.

@bnoordhuis bnoordhuis closed this as not planned Won't fix, can't repro, duplicate, stale Oct 13, 2023
@bnoordhuis bnoordhuis added v8 engine Issues and PRs related to the V8 dependency. wrong repo Issues that should be opened in another repository. labels Oct 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v8 engine Issues and PRs related to the V8 dependency. wrong repo Issues that should be opened in another repository.
Projects
None yet
Development

No branches or pull requests

2 participants