New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XS: Heap-Buffer-Overflow #235
Comments
|
Thank you for the report. We'll take a look. |
|
Hello, could you help me to request a CVE ID for this vulnerability. I have tried to submit it in https://cveform.mitre.org/, but they didn't response to me. Maybe it will be different to you. As a PhD student, I really need some CVE IDs to prove the effectiveness of my work. Thank you every much. |
|
Hi, can you confirm this vulnerability? I can give more details about how to repeat this vulnerability if you need. |
|
@sunlili - Thanks for the report. Apologies for being slow to reply. We will make some time to investigate this issue. Would you answer one question to help us with that? There are two common ways to run XS and it is not clear from the report which you used. In some cases, an issue will be present in one of these runtime environments but not the other. Are you using Regard CVE, we have used that for XS vulnerabilities and so are unfamiliar with their administrative process. I'm not sure re-reporting the same issue will help. If there is a step we should take to help move your CVE ID report ahead, please let me know. |
|
Oops - I just noticed that in your report you mention |
|
Here is the details to reproduce the vulnerability.
Then, you will get the binary of xst which instrumented with AddressSanitizer under "~/moddable-public/build/bin/lin/debug"
|
|
Hi, heap over flow is a serious vulnerability. It can be exploited to read and write arbitrary process memory and hijack the control flow, so you should fix the vulnerability as soon as possible. |
|
Hello. '$ xst -s ./crash.js If I run xsbug first, and use the debug version of xst, then xsbug reports a '$ xsbug & I note no output from AddressSanitizer in either case. |
Yes, this can be a serious vulnerability in some circumstances. But, only when the host is open to running arbitrary scripts. That is the case in a browser. The current deployments using XS are sealed systems often without a script interpreter. As such, they are immune to such an exploit. That said, we take such reports seriously. Unfortunately, we have been unable to reproduce this report on macOS or Linux when using the Address Sanitizer. |
|
I download the latest XS source code, which is version 9.0.1, and the crash indeed can not reproduce any more. It seems like the vulnerability has been fixed in the new version. That's great! |

Hello,
We find a heap-buffer-overflow vulnerability in XS 9.0.0, which is reported by Address Sanitizer. We compile and run the xs in linux 64.
The simplified js code:
Output of executing './xst -s crash.js'
According to the report, fxBeginHost() access memory which should not be allowed. You can get the report too, if you compile XS with -fsanitize option, then just run the xst with the js.
Modify xs/makefiles/lin/xst.mk, add " -fsanitize=address" into C_OPTIONS (line 61) and LINK_OPTIONS (line 68), then make it, you will get the xst in /lin/debug which has been instrumented with AddressSanitizer.
Built-in Security Lab
2019.7.25
The text was updated successfully, but these errors were encountered: