New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 1 comment

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

assert(newObj.hasOwnProperty(“prop”)).throws(SyntaxError, function () { eval(“’use strict’; function _13_0_7_fun() {eval = 42;};”); _13_0_7_fun(); });

​

Execution steps & Output

$ ./jsish/jsish poc.js

========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028f8 at pc 0x55bcbd952990 bp 0x7ffd837e9530 sp 0x7ffd837e9520 READ of size 8 at 0x6250000028f8 thread T0 #0 0x55bcbd95298f in jsiEvalCodeSub src/jsiEval.c:1366 #1 0x55bcbd95c15e in jsi_evalcode src/jsiEval.c:2204 #2 0x55bcbd960274 in jsi_evalStrFile src/jsiEval.c:2665 #3 0x55bcbd64f66a in Jsi_Main src/jsiInterp.c:936 #4 0x55bcbde5403a in jsi_main src/main.c:47 #5 0x7f3599d46bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #6 0x55bcbd5e3969 in _start (/usr/local/bin/jsish+0xe8969)

0x6250000028f8 is located 8 bytes to the left of 8192-byte region [0x625000002900,0x625000004900) allocated by thread T0 here: #0 0x7f359a9b5f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55bcbd654972 in Jsi_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub Shadow bytes around the buggy address: 0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ========ABORTING

Credits: Found by OWL337 team.

This issue may have a correlation with #56, but I’m not for sure.

1 participant