Stack buffer overflow in `deps/icu-small/source/common/uresbund.cpp:205:9`

[kobrineli]

Hi! We've been fuzzing nodejs using sydr-fuzz and targets for https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs made by @stasos24.
We have updated nodejs to main branch and the bug from #45284 wasn't reproduced, but we discovered the new one with the same input, so we open a new issue.

Work environment

OS: Ubuntu 20.04
nodejs version: main 86088ab

Bug description

Stack buffer overflow in deps/icu-small/source/common/uresbund.cpp:205:9.

Steps to reproduce

1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/nodejs:

    sudo docker build -t oss-sydr-fuzz-nodejs .
   

2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-nodejs /bin/bash
   

3. Execute sanitizers built target with input that leads to crash ():

    /v8_compile_afl < crash-c3fbe25a7f8f3d8aced6fa547461bd5b6b4b3df8
   

4. You will see the following ouput:

    =================================================================
    ==70==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff71f2edbf at pc 0x00000205b30b bp 0x7fff71f2e3f0 sp 0x7fff71f2e3e8
    READ of size 1 at 0x7fff71f2edbf thread T0
        #0 0x205b30a in getParentLocaleID(char*, char const*, UResOpenType) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:205:9
        #1 0x205b30a in findFirstExisting(char const*, char*, char const*, UResOpenType, signed char*, signed char*, signed char*, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:696:28
        #2 0x204e380 in entryOpen(char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:851:9
        #3 0x204e380 in ures_openWithType(UResourceBundle*, char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:2665:17
        #4 0x41e1889 in icu_72::Calendar::setWeekData(icu_72::Locale const&, char const*, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:3932:41
        #5 0x4098b08 in icu_72::GregorianCalendar::GregorianCalendar(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/gregocal.cpp:188:5
        #6 0x41e01b4 in icu_72::createStandardCalendar(ECalType, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:342:51
        #7 0x41e01b4 in icu_72::Calendar::makeInstance(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:911:13
        #8 0x41df5ae in icu_72::LocaleCacheKey<icu_72::SharedCalendar>::createObject(void const*, UErrorCode&) const /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:216:26
        #9 0x52421ab in icu_72::UnifiedCache::_get(icu_72::CacheKeyBase const&, icu_72::SharedObject const*&, void const*, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.cpp:394:17
        #10 0x41e37ce in void icu_72::UnifiedCache::get<icu_72::SharedCalendar>(icu_72::CacheKey<icu_72::SharedCalendar> const&, void const*, icu_72::SharedCalendar const*&, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:234:8
        #11 0x41e37ce in void icu_72::UnifiedCache::get<icu_72::SharedCalendar>(icu_72::CacheKey<icu_72::SharedCalendar> const&, icu_72::SharedCalendar const*&, UErrorCode&) const /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:206:8
        #12 0x41e37ce in void icu_72::UnifiedCache::getByLocale<icu_72::SharedCalendar>(icu_72::Locale const&, icu_72::SharedCalendar const*&, UErrorCode&) /node_afl/out/../deps/icu-small/source/common/unifiedcache.h:274:15
        #13 0x41e37ce in icu_72::Calendar::createInstance(icu_72::TimeZone*, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/calendar.cpp:999:5
        #14 0x412ba62 in icu_72::SimpleDateFormat::initializeCalendar(icu_72::TimeZone*, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:950:21
        #15 0x412ba62 in icu_72::SimpleDateFormat::construct(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:696:5
        #16 0x4134b89 in icu_72::SimpleDateFormat::SimpleDateFormat(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/smpdtfmt.cpp:508:5
        #17 0x437c8bf in icu_72::DateFormat::create(icu_72::DateFormat::EStyle, icu_72::DateFormat::EStyle, icu_72::Locale const&) /node_afl/out/../deps/icu-small/source/i18n/datefmt.cpp:529:31
        #18 0x40dbe9b in icu_72::DateTimePatternGenerator::addICUPatterns(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:819:14
        #19 0x40d4fe0 in icu_72::DateTimePatternGenerator::initData(icu_72::Locale const&, UErrorCode&, signed char) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:516:9
        #20 0x40d055a in icu_72::DateTimePatternGenerator::createInstance(icu_72::Locale const&, UErrorCode&) /node_afl/out/../deps/icu-small/source/i18n/dtptngen.cpp:309:17
        #21 0x35726c7 in v8::internal::(anonymous namespace)::DateTimePatternGeneratorCache::CreateGenerator(v8::internal::Isolate*, icu_72::Locale const&) /node_afl/out/../deps/v8/src/objects/js-date-time-format.cc:2177:16
        #22 0x356c330 in v8::internal::JSDateTimeFormat::New(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, char const*) /node_afl/out/../deps/v8/src/objects/js-date-time-format.cc:2339:34
        #23 0x323b0b5 in v8::internal::Object v8::internal::(anonymous namespace)::LegacyFormatConstructor<v8::internal::JSDateTimeFormat>(v8::internal::BuiltinArguments, v8::internal::Isolate*, v8::Isolate::UseCounterFeature, v8::internal::Handle<v8::internal::Object>, char const*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:243:3
        #24 0x323b0b5 in v8::internal::Builtin_Impl_DateTimeFormatConstructor(v8::internal::BuiltinArguments, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:514:10
        #25 0x323b0b5 in v8::internal::Builtin_DateTimeFormatConstructor(int, unsigned long*, v8::internal::Isolate*) /node_afl/out/../deps/v8/src/builtins/builtins-intl.cc:511:1
        #26 0x1e8f438 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit out/Release/obj.target/v8_snapshot/geni/embedded.o
    
    Address 0x7fff71f2edbf is located in stack of thread T0 at offset 383 in frame
        #0 0x204de4f in ures_openWithType(UResourceBundle*, char const*, char const*, UResOpenType, UErrorCode*) /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:2651
    
      This frame has 9 object(s):
        [32, 40) 't1.i141' (line 994)
        [64, 221) 'name.i142' (line 998)
        [288, 292) 'intStatus.i' (line 812)
        [304, 312) 't1.i' (line 814)
        [336, 337) 'isDefault.i' (line 815)
        [352, 353) 'isRoot.i' (line 816)
        [368, 369) 'hasChopped.i' (line 818)
        [384, 541) 'name.i' (line 821) <== Memory access at offset 383 underflows this variable
        [608, 765) 'canonLocaleID' (line 2659)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /node_afl/out/../deps/icu-small/source/common/uresbund.cpp:205:9 in getParentLocaleID(char*, char const*, UResOpenType)
    Shadow bytes around the buggy address:
      0x10006e3ddd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006e3ddd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006e3ddd80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
      0x10006e3ddd90: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x10006e3ddda0: f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 04 f2 00 f2
    =>0x10006e3dddb0: f2 f2 01 f2 01 f2 01[f2]00 00 00 00 00 00 00 00
      0x10006e3dddc0: 00 00 00 00 00 00 00 00 00 00 00 05 f2 f2 f2 f2
      0x10006e3dddd0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006e3ddde0: 00 00 00 00 00 00 00 05 f3 f3 f3 f3 f3 f3 f3 f3
      0x10006e3dddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006e3dde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==70==ABORTING 
   

[jasnell]

We appreciate the research and the report. There are, however, a few issues here.

First, based on the stack trace, this appears to be an issue with our dependencies v8 and ICU, not with Node.js itself. Node.js does not provide the implementation of DateTimeFormat and has no control over that code path. This issue likely needs to be reported to either v8 and/or ICU for investigation.

Thirdly, and most importantly, this kind of issue can very likely be a security concern. By reporting it here, in the public repo, you potentially put deployments at risk. For reporting these kinds of issues, please see our SECURITY policy https://github.com/nodejs/node/blob/main/SECURITY.md. We use HackerOne for this purpose.

[kobrineli]

@jasnell
We are really sorry that we didn't report this issue according to your security policy; hopefully, that was not the exploitable one.
The good news is that unicode-org/icu#2248 pull request was accepted and stack buffer overflow error in ICU was fixed. So the only thing left to do is to update the ICU version in nodejs.