Skip to content

os.Worker Can Call a NULL Context-Factory Callback in an Incompletely Initialized Embedder #538

Description

@kid-lxy

This issue was reproduced in a custom fuzzing harness -- fuzz_eval.
It was not reproduced as a crash with the standard command:

qjs --std worker_crash.js

Minimal Reproducer

new os.Worker("/tmp/existent_worker.js");

A second reproducer triggering the same root cause is:

new os.Worker("data:text/javascript,");

The module argument does not appear to be important because the crash occurs while creating the worker runtime or context.

Reproduction Command

timeout 30 ./fuzz_eval worker_crash.js

The exact path to the embedding executable may be changed as needed.

Observed Result
The sanitizer reports a segmentation fault at address zero in a worker thread.

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1893264762
INFO: Loaded 1 modules   (29133 inline 8-bit counters): 29133 [0x5ca490be13c8, 0x5ca490be8595), 
INFO: Loaded 1 PC tables (29133 PCs): 29133 [0x5ca490be8598,0x5ca490c5a268), 
./fuzz_eval: Running 1 inputs 1 time(s) each.
Running: bug_seeds/worker_crash.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==945968==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7448534fbe80 sp 0x7448534fbe48 T945970)
==945968==Hint: pc points to the zero page.
==945968==The signal is caused by a READ memory access.
==945968==Hint: address points to the zero page.
Executed bug_seeds/worker_crash.js in 2 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

Build.sh

sed -i -e 's/CFLAGS=/CFLAGS+=/' Makefile
sed -i -e 's/CC=$(CROSS_PREFIX)clang//' Makefile
CONFIG_CLANG=y make libquickjs.fuzz.a .obj/fuzz_common.o .obj/libregexp.fuzz.o .obj/cutils.fuzz.o .obj/libunicode.fuzz.o
zip -r $OUT/fuzz_eval_seed_corpus.zip $SRC/quickjs-corpus/js/*.js
zip -r $OUT/fuzz_compile_seed_corpus.zip $SRC/quickjs-corpus/js/*.js

export CFLAGS="${CFLAGS} -fsanitize=fuzzer-no-link"
export CXXFLAGS="${CXXFLAGS} -fsanitize=fuzzer-no-link"

build_fuzz_target () {
    local target=$1
    shift
    $CC $CFLAGS -I. -c fuzz/$target.c -o $target.o
    $CXX $CXXFLAGS $target.o -o $OUT/$target $@ $LIB_FUZZING_ENGINE
}

build_fuzz_target fuzz_eval .obj/fuzz_common.o libquickjs.fuzz.a
build_fuzz_target fuzz_compile .obj/fuzz_common.o libquickjs.fuzz.a
build_fuzz_target fuzz_regexp .obj/libregexp.fuzz.o .obj/cutils.fuzz.o .obj/libunicode.fuzz.o

cp fuzz/fuzz.dict $OUT/fuzz_eval.dict
cp fuzz/fuzz.dict $OUT/fuzz_compile.dict

QuickJS version
Git commit: 04be246
Operating system: Ubuntu 24.04 x86_64

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions