Headline
CVE-2022-30975: [BUG] two null pointer deference mujs-pp · Issue #161 · ccxvii/mujs
In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.
Hello, I was testing my fuzzer and found several bugs in mujs-pp.
I compile mujs’s latest commit db110ea in ubuntu 22 (docker image) with gcc 11.2.0-19ubuntu1.
With command make build=sanitize
When parsing an incorrect argument (e.g. ./build/sanitize/mujs-pp -h), a null pointer deference will be triggered. mujs-pp might didn’t check the argument it parsed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1229272==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f182f7a1cfb bp 0x000000000000 sp 0x7fff2b38aa10 T0)
==1229272==The signal is caused by a READ memory access.
==1229272==Hint: address points to the zero page.
#0 0x7f182f7a1cfb in _IO_fclose (/lib/x86_64-linux-gnu/libc.so.6+0x82cfb)
#1 0x7f182fabee48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6233
#2 0x7f182fabee48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6228
#3 0x55c4ca90b44d in js_ppfile /benchmark/mujs/pp.c:37
#4 0x55c4ca90b985 in main /benchmark/mujs/pp.c:106
#5 0x7f182f74cd8f (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
#6 0x7f182f74ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
#7 0x55c4ca8a59c4 in _start (/benchmark/mujs/build/sanitize/mujs-pp+0x169c4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x82cfb) in _IO_fclose
==1229272==ABORTIN
A null pointer deference in jsP_dumpsyntax will be triggered when parsing a crafted js file, when running ./mujs-pp $POC, as shown in the attachment
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1412001==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55faed39dd7e bp 0x7ffe11e19bb0 sp 0x7ffe11e19b90 T0)
==1412001==The signal is caused by a READ memory access.
==1412001==Hint: address points to the zero page.
#0 0x55faed39dd7e in jsP_dumpsyntax /benchmark/mujs/jsdump.c:685
#1 0x55faed3ea327 in js_ppstring /benchmark/mujs/pp.c:24
#2 0x55faed3ea704 in js_ppfile /benchmark/mujs/pp.c:77
#3 0x55faed3ea985 in main /benchmark/mujs/pp.c:106
#4 0x7f5c97280d8f (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
#5 0x7f5c97280e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
#6 0x55faed3849c4 in _start (/benchmark/mujs/build/sanitize/mujs-pp+0x169c4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /benchmark/mujs/jsdump.c:685 in jsP_dumpsyntax
==1412001==ABORTINGRelated news
Gentoo Linux Security Advisory 202405-6 - Multiple vulnerabilities have been discovered in mujs, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.2 are affected.
Debian Linux Security Advisory 5291-1 - Multiple security issues were discovered in MuJS, a lightweight JavaScript interpreter, which could result in denial of service and potentially the execution of arbitrary code.