Fund: LibJS: Member call on incorrect type and read buffer overflow in Promise::create_resolving_functions

Found with Fuzzilli.
Code:

function main() {
let v2 = 0;
do {
    const v4 = v2++;
    function v5(v6) {
    }
    function v7(v8,v9) {
        v5 = v8;
    }
    const v11 = new Promise(v7);
    const v13 = gc == v7;
    let v14 = 0;
    const v15 = 10;
    const v16 = v14++;
    const v20 = [13.37,13.37,13.37,13.37,13.37];
    const v22 = [1337];
    const v23 = [13.37,Function,v20,v22,1337,"fkq3Rr9R0U",Function,13.37,1337,13.37];
    const v25 = new Uint32Array();
    const v26 = v11.finally(gc);
    const v27 = v5(v25);
} while (v2 < 8);
Object[-4294967296] = "NEGATIVE_INFINITY";
const v31 = gc;
const v32 = [13.37,13.37,13.37,13.37];
const v34 = [1337,1337,1337,1337,Proxy];
let v35 = 0;
const v36 = 3;
const v37 = Object();
const v38 = v35++;
const v39 = ["NEGATIVE_INFINITY","NEGATIVE_INFINITY",Proxy,v34,13.37,13.37,13.37,v32,1337];
const v40 = {a:v39,constructor:13.37,d:v34,e:v32,length:"NEGATIVE_INFINITY",toString:Proxy};
const v41 = {a:-4294967296,b:1337,c:Proxy,constructor:v32,e:"NEGATIVE_INFINITY",length:v32,valueOf:v40};
const v43 = gc();
}
main();
// STDERR:
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// Forced garbage collection requested!
// ../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51: runtime error: member call on address 0x62d000265e38 which does not point to an object of type 'JS::Object'
// 0x62d000265e38: note: object is of type 'JS::HeapBlock::FreelistEntry'
//  00 00 00 00  18 39 e5 00 00 00 00 00  00 00 00 00 00 00 00 00  38 5c 26 00 d0 62 00 00  00 00 00 00
//               ^~~~~~~~~~~~~~~~~~~~~~~
//               vptr for 'JS::HeapBlock::FreelistEntry'
// SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51 in

As file: program_20210511185100_8FD2AE09-C95B-47D5-94A8-5DB1199EC4D9_flaky_0.txt

Trace:

../Userland/Libraries/LibJS/Runtime/Value.h:72:65: runtime error: -4.29497e+09 is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../Userland/Libraries/LibJS/Runtime/Value.h:72:65 in 
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
Forced garbage collection requested!
../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51: runtime error: member call on address 0x62d000070eb8 which does not point to an object of type 'JS::Object'
0x62d000070eb8: note: object is of type 'JS::Shape'
 be be be be  10 ff ef 00 00 00 00 00  00 01 00 03 00 00 00 00  38 80 01 00 d0 62 00 00  70 38 01 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::Shape'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51 in 
=================================================================
==111615==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000efff38 at pc 0x000000c85c5f bp 0x7fffca59ff90 sp 0x7fffca59ff88
READ of size 8 at 0x000000efff38 thread T0
    #0 0xc85c5e in auto JS::Promise::create_resolving_functions()::$_0::operator()<JS::VM, JS::GlobalObject, JS::Promise, JS::AlreadyResolved>(JS::VM&, JS::GlobalObject&, JS::Promise&, JS::AlreadyResolved&) const /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51
    #1 0xc85c5e in AK::Function<JS::Value (JS::VM&, JS::GlobalObject&, JS::Promise&, JS::AlreadyResolved&)>::CallableWrapper<JS::Promise::create_resolving_functions()::$_0>::call(JS::VM&, JS::GlobalObject&, JS::Promise&, JS::AlreadyResolved&) const /home/lukew/Desktop/serenity-project/serenity/build/.././AK/Function.h:103:24
    #2 0xa0a736 in JS::VM::call_internal(JS::Function&, JS::Value, AK::Optional<JS::MarkedValueList>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.cpp:339:28
    #3 0xc88689 in JS::Value JS::VM::call<JS::MarkedValueList>(JS::Function&, JS::Value, JS::MarkedValueList) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.h:274:118
    #4 0xc88689 in JS::Value JS::VM::call<JS::Value>(JS::Function&, JS::Value, JS::Value) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.h:219:20
    #5 0xc88689 in JS::PromiseReactionJob::call() /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/PromiseJobs.cpp:69:19
    #6 0xa0a736 in JS::VM::call_internal(JS::Function&, JS::Value, AK::Optional<JS::MarkedValueList>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.cpp:339:28
    #7 0xa0b40b in JS::Value JS::VM::call<AK::Optional<JS::MarkedValueList> >(JS::Function&, JS::Value, AK::Optional<JS::MarkedValueList>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.h:277:128
    #8 0xa0b40b in JS::Value JS::VM::call<>(JS::Function&, JS::Value) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.h:280:91
    #9 0xa0b40b in JS::VM::run_queued_promise_jobs() /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/VM.cpp:360:40
    #10 0x6967ad in JS::Interpreter::run(JS::GlobalObject&, JS::Program const&) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Interpreter.cpp:66:8
    #11 0x5ed77e in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzJs.cpp:24:22
    #12 0x4f3f61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzJs+0x4f3f61)
    #13 0x4df672 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzJs+0x4df672)
    #14 0x4e56de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzJs+0x4e56de)
    #15 0x50d1a2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzJs+0x50d1a2)
    #16 0x7f091fe270b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #17 0x4b9d7d in _start (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzJs+0x4b9d7d)

0x000000efff38 is located 40 bytes to the left of global variable '' defined in '../Userland/Libraries/LibJS/Runtime/Shape.cpp' (0xefff60) of size 8
0x000000efff38 is located 0 bytes to the right of global variable 'vtable for JS::Shape' defined in '../Userland/Libraries/LibJS/Runtime/Shape.cpp' (0xefff00) of size 56
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibJS/Runtime/Promise.cpp:76:51 in auto JS::Promise::create_resolving_functions()::$_0::operator()<JS::VM, JS::GlobalObject, JS::Promise, JS::AlreadyResolved>(JS::VM&, JS::GlobalObject&, JS::Promise&, JS::AlreadyResolved&) const
Shadow bytes around the buggy address:
  0x0000801d7f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d7fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d7fd0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
=>0x0000801d7fe0: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9
  0x0000801d7ff0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000801d8000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000801d8010: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==111615==ABORTING

SerenityOS/serenity

LibJS: Member call on incorrect type and read buffer overflow in Promise::create_resolving_functions

How does funding with Polar work?

Backer

Contributor

Maintainer

SerenityOS/serenity

LibJS: Member call on incorrect type and read buffer overflow in Promise::create_resolving_functions

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?