Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

String double free in ecma_module_find_module #5143

Open
9chu opened this issue May 19, 2024 · 0 comments
Open

String double free in ecma_module_find_module #5143

9chu opened this issue May 19, 2024 · 0 comments

Comments

@9chu
Copy link

9chu commented May 19, 2024

Since the module implementation has already changed in the master branch, this bug may only occur in the old 2.4.0 version.

I suggest releasing a new version to prevent people from encountering this issue.

JerryScript revision

https://github.com/jerryscript-project/jerryscript/releases/tag/v2.4.0

Build platform

esp-idf

Build steps

Using customized CMakeLists to build.

Build log

System malloc ON.

Test case

Using import to import native modules.

Output

Memory corruption in GC, usually crashes at ecma_module_release_module_names.

Backtrace
#0  ecma_module_release_module_names (module_name_p=0x1a)
    at components/jerryscript/jerry-core/ecma/base/ecma-module.c:1062
#1  0x401342f5 in ecma_module_release_module_nodes (module_node_p=0x3fff4e80)
    at components/jerryscript/jerry-core/ecma/base/ecma-module.c:1084
#2  0x40134332 in ecma_module_release_module (module_p=0x3fff4048)
    at components/jerryscript/jerry-core/ecma/base/ecma-module.c:1121
#3  0x40134386 in ecma_module_cleanup (head_p=<optimized out>)
    at components/jerryscript/jerry-core/ecma/base/ecma-module.c:1161
#4  0x4012f000 in ecma_gc_free_object (object_p=0x3fff3ba8)
    at components/jerryscript/jerry-core/ecma/base/ecma-gc.c:1650
#5  0x4012f1cb in ecma_gc_run () at components/jerryscript/jerry-core/ecma/base/ecma-gc.c:1928
#6  0x4012d709 in jerry_gc (mode=JERRY_GC_PRESSURE_LOW)
Expected behavior

Not to crash.

Bug analysis
  1. ecma_module_find_native_module passes argument pass_p to ecma_module_create_module
  2. parser_module_handle_module_specifier releases the name_p after ecma_module_find_native_module returns
  3. name_p(stored in module_p->path_p) is released in ecma_module_release_module during GC
Fix
diff --git a/jerry-core/ecma/base/ecma-module.c b/jerry-core/ecma/base/ecma-module.c
index 641649c3..0d1f1bd9 100644
--- a/jerry-core/ecma/base/ecma-module.c
+++ b/jerry-core/ecma/base/ecma-module.c
@@ -184,6 +184,7 @@ ecma_module_find_native_module (ecma_string_t *const path_p)
   {
     JERRY_ASSERT (ecma_is_value_object (native));
 
+    ecma_ref_ecma_string(path_p);
     module_p = ecma_module_create_module (path_p);
     module_p->state = ECMA_MODULE_STATE_NATIVE;
     module_p->namespace_object_p = ecma_get_object_from_value (native);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@9chu