Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46329: SEGV (/usr/local/bin/xst+0xdfee5f) in _fini · Issue #768 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini.

CVE
Open in Source
#vulnerability#mac#ubuntu#linux#js#git

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV (/usr/local/bin/xst+0xdfee5f) in _fini #768

Open

hope-fly opened this issue

Jan 7, 2022

· 1 comment

Comments

@hope-fly

Moddable-XS revision

Commit: 2f93df29

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

cd ~/moddable/xs/makefiles/lin make -f xst.mk

Test casepoc.js

function JSEtest() {
    return { __proto__: setInterval(/a/g, "") } instanceof Array
        && !({ __proto__: null } instanceof Object);
}

if (!JSEtest())
    throw new Error("Test failed");

Execution & Output

$ ./moddable/build/bin/lin/debug/xst poc.js

Error: Test failed AddressSanitizer:DEADLYSIGNAL ================================================================= ==50961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000dfee60 (pc 0x000000dfee60 bp 0x7ffe67452190 sp 0x7ffe67452088 T0)

==50961==The signal is caused by a READ memory access. ==50961==Hint: PC is at a non-executable region. Maybe a wild jump? #0 0xdfee5f in _fini (/usr/local/bin/xst+0xdfee5f)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/local/bin/xst+0xdfee5f) in _fini ==50961==ABORTING

Credits: Found by OWL337 team.

@phoddie

Copy link

Collaborator

@phoddie phoddie commented Jan 8, 2022

Thank you for the report!

The crash occurs in after the test exits. The call to fxDeleteMachine crashes when calls the destructor of the timer created by setInterval.

while (bSlot < cSlot) { if ((bSlot->kind == XS_HOST_KIND) && (bSlot->value.host.variant.destructor)) { if (bSlot->flag & XS_HOST_HOOKS_FLAG) { if (bSlot->value.host.variant.hooks->destructor) (*(bSlot->value.host.variant.hooks->destructor))(bSlot->value.host.data); } else (*(bSlot->value.host.variant.destructor))(bSlot->value.host.data); } bSlot++; }

This may be a bug in the xst tool rather than the XS engine. Either way, we’ll fix that so it doesn’t get in the way of testing.

mkellner pushed a commit that referenced this issue

Jan 17, 2022

2 participants

@phoddie@hope-fly

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE