Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30975: [BUG] two null pointer deference mujs-pp · Issue #161 · ccxvii/mujs

In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.

CVE
#ubuntu#linux#js#c++#docker

Hello, I was testing my fuzzer and found several bugs in mujs-pp.

I compile mujs’s latest commit db110ea in ubuntu 22 (docker image) with gcc 11.2.0-19ubuntu1.
With command make build=sanitize

When parsing an incorrect argument (e.g. ./build/sanitize/mujs-pp -h), a null pointer deference will be triggered. mujs-pp might didn’t check the argument it parsed.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1229272==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f182f7a1cfb bp 0x000000000000 sp 0x7fff2b38aa10 T0)
==1229272==The signal is caused by a READ memory access.
==1229272==Hint: address points to the zero page.
    #0 0x7f182f7a1cfb in _IO_fclose (/lib/x86_64-linux-gnu/libc.so.6+0x82cfb)
    #1 0x7f182fabee48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6233
    #2 0x7f182fabee48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6228
    #3 0x55c4ca90b44d in js_ppfile /benchmark/mujs/pp.c:37
    #4 0x55c4ca90b985 in main /benchmark/mujs/pp.c:106
    #5 0x7f182f74cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
    #6 0x7f182f74ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
    #7 0x55c4ca8a59c4 in _start (/benchmark/mujs/build/sanitize/mujs-pp+0x169c4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x82cfb) in _IO_fclose
==1229272==ABORTIN

A null pointer deference in jsP_dumpsyntax will be triggered when parsing a crafted js file, when running ./mujs-pp $POC, as shown in the attachment

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1412001==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55faed39dd7e bp 0x7ffe11e19bb0 sp 0x7ffe11e19b90 T0)
==1412001==The signal is caused by a READ memory access.
==1412001==Hint: address points to the zero page.
    #0 0x55faed39dd7e in jsP_dumpsyntax /benchmark/mujs/jsdump.c:685
    #1 0x55faed3ea327 in js_ppstring /benchmark/mujs/pp.c:24
    #2 0x55faed3ea704 in js_ppfile /benchmark/mujs/pp.c:77
    #3 0x55faed3ea985 in main /benchmark/mujs/pp.c:106
    #4 0x7f5c97280d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
    #5 0x7f5c97280e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
    #6 0x55faed3849c4 in _start (/benchmark/mujs/build/sanitize/mujs-pp+0x169c4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /benchmark/mujs/jsdump.c:685 in jsP_dumpsyntax
==1412001==ABORTING

Related news

Gentoo Linux Security Advisory 202405-06

Gentoo Linux Security Advisory 202405-6 - Multiple vulnerabilities have been discovered in mujs, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.2 are affected.

Debian Security Advisory 5291-1

Debian Linux Security Advisory 5291-1 - Multiple security issues were discovered in MuJS, a lightweight JavaScript interpreter, which could result in denial of service and potentially the execution of arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907