WTF::BitSet<2048ul, unsigned long>::set(unsigned long) Out-of-Bounds

### Credit : Sunghoon Jang, Jeonil Ji

**Escargot**
 - OS: Ubuntu 18.04

**Describe the bug**
Out-of-Bounds write

**Test case**
Test code to reproduce the behavior:
[set.txt](https://github.com/user-attachments/files/16988159/set.txt)
rename .txt -> .js before use

**Backtrace**
<img width="746" alt="set1" src="https://github.com/user-attachments/assets/1c7c04b0-156f-48ed-8391-86bde7d4cba8">

**Analysis**

<img width="517" alt="set2" src="https://github.com/user-attachments/assets/4047e478-7b32-41bd-8786-d07945500d1e">
third_party/yarr/BitSet.h

- A SIGABRT occurred in this code.

<img width="713" alt="set3" src="https://github.com/user-attachments/assets/e181d0d2-243e-469e-8323-940f8fed1abb">

- After building Escargot in debug mode, I confirmed that an out-of-bounds (OOB) write occurred while accessing index 67108737.

<img width="517" alt="set4" src="https://github.com/user-attachments/assets/989d88c2-9010-4970-af60-311c190abe2a">
third_party/yarr/BitSet.h

- The result of `n / wordSize` is 67108737, leading to OOB access at bits[67108737].
    - 67108737 = 0x3ffff81
- To check the value of `n`, I examined backtrace#1, where the `set()` function is called.

<img width="625" alt="set5" src="https://github.com/user-attachments/assets/69580ab0-b6d9-430c-aa7e-0acd63d377b4">
third_party/yarr/YarrPattern.cpp

- I confirmed that the `set()` function uses `ch - chunkLo` as an argument.

<img width="185" alt="set6" src="https://github.com/user-attachments/assets/60e03707-ed81-4579-b953-ceadad161ef9">

<img width="749" alt="set7" src="https://github.com/user-attachments/assets/9a319f65-5e1e-4d13-af3b-0b75faaead92">

- The value of `n = ch - chunkLo`
- A negative value (0xffffe055) was passed to n.

<img width="715" alt="set8" src="https://github.com/user-attachments/assets/71a5f6db-1bb0-4be1-9506-0d397d01304a">

third_party/yarr/BitSet.h:150 asm

- I confirmed that the argument values are being pushed onto the stack inside the set function.
- The value of n (`0xffffe055`) is stored at rbp-0x10.

<img width="517" alt="set9" src="https://github.com/user-attachments/assets/a1a1c6ee-0b78-4c43-a107-969c55819084">

third_party/yarr/BitSet.h

- I verified that `n / wordSize` is being used as the index of `bits`.
    
<img width="169" alt="set10" src="https://github.com/user-attachments/assets/8ea8b5d0-2c5b-41da-a6be-e3a9c24d3463">

- Since `wordSize` = 2^6, it performs a shr 6 operation internally.

<img width="701" alt="set11" src="https://github.com/user-attachments/assets/bc5065b1-81f6-438d-acc9-41ee391c49c5">

- The value of rax contains n (`0xffffe055`).
- After the `n / wordSize` operation, the result `0x3ffff81` is stored in rdx.
- Then, an attempt is made to access `bits[0x3ffff81]`, resulting in the OOB.

---

### Credit : Sunghoon Jang, Jeonil Ji


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

WTF::BitSet<2048ul, unsigned long>::set(unsigned long) Out-of-Bounds #1389

Credit : Sunghoon Jang, Jeonil Ji

Credit : Sunghoon Jang, Jeonil Ji

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

WTF::BitSet<2048ul, unsigned long>::set(unsigned long) Out-of-Bounds #1389

Description

Credit : Sunghoon Jang, Jeonil Ji

Credit : Sunghoon Jang, Jeonil Ji

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions