-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: NULL word of bytecode.literal lead to heap memory corruption results in OOB write. #2008
Labels
bug
Undesired behaviour
Comments
Thanks for reporting. v1.0 is quite old though (dated Sep 2016). The bug is not reproducible on latest master anymore.
|
akosthekiss
added a commit
to akosthekiss/jerryscript
that referenced
this issue
Oct 30, 2017
The issue was reported against v1.0 and isn't reproducible anymore. Still, adding the then-faulty input to the regression test suite to prevent it occuring again. JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
dbatyai
pushed a commit
that referenced
this issue
Oct 30, 2017
pmarcinkiew
pushed a commit
to pmarcinkiew/jerryscript
that referenced
this issue
Oct 30, 2017
…project#2066) The issue was reported against v1.0 and isn't reproducible anymore. Still, adding the then-faulty input to the regression test suite to prevent it occuring again. JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
#2066 is merged, added the test case to the regression test suite. Fix was not needed (anymore). Closing. |
pmarcinkiew
pushed a commit
to pmarcinkiew/jerryscript
that referenced
this issue
Oct 31, 2017
…project#2066) The issue was reported against v1.0 and isn't reproducible anymore. Still, adding the then-faulty input to the regression test suite to prevent it occuring again. JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
pmarcinkiew
pushed a commit
to pmarcinkiew/jerryscript
that referenced
this issue
Oct 31, 2017
…project#2066) The issue was reported against v1.0 and isn't reproducible anymore. Still, adding the then-faulty input to the regression test suite to prevent it occuring again. JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PoC and Crash in release 1.0.0
Assigned as CVE-2017-14749, Credit by ADLab of Venustech
PoC.js is as follows(hex displayed):
Among the first string, there is a '\n'(0x0a). This byte could be replaced by '\r'(0x0d) or other bytes as with a '\' at front. And this kind of bytes makes the generated byte code contains an NULL word(0x00), which lead to a crash as the following stack trace shows:
Root cause
When processing the strings, the generated byte code are as follows:
The NULL word in 0x00290000 is one of the bytecode.literal compressed pointer. When bytecode is executed, the reference of the literal add 0x10 while jerry_global_heap.next_offset was overwritten because of the compressed pointer. Twice as it was referenced so the field was added up to 0x20. This makes the index of the free chunk lists corrupts.
Potential Risks
With the heap memory corruption the free chunk lists could be faked. Potentially there exists an local write primitive in memory. If jerry is embedded in some host and could execute js, this vulnerability could result in remote code execution.
Fix Suggestion
Check code in bytecode generation: the failed literal's compressed pointer should not be NULL word.
The text was updated successfully, but these errors were encountered: