$ ./xst poc.js
=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f86d2bfe7ff at pc 0x5558b4ed93a4 bp 0x7fffebd25aa0 sp 0x7fffebd25a90
READ of size 1 at 0x7f86d2bfe7ff thread T0
#0 0x5558b4ed93a3 in fxUint8Getter /root/moddable/xs/sources/xsDataView.c:2883#1 0x5558b4e8afbb in fxCompareTypedArrayItem /root/moddable/xs/sources/xsDataView.c:1234#2 0x5558b4e8e7d9 in fx_TypedArray_prototype_sort /root/moddable/xs/sources/xsDataView.c:2303#3 0x5558b516fa1d in fxRunID /root/moddable/xs/sources/xsRun.c:842#4 0x5558b51d642c in fxRunScript /root/moddable/xs/sources/xsRun.c:4766#5 0x5558b53e48d1 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387#6 0x5558b4d1c05e in main /root/moddable/xs/tools/xst.c:281#7 0x7f86d6cd0bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)#8 0x5558b4d1d789 in _start (/root/moddable/build/bin/lin/debug/xst+0x93789)
0x7f86d2bfe7ff is located 1 bytes to the left of 16777248-byte region [0x7f86d2bfe800,0x7f86d3bfe820)
allocated by thread T0 here:
#0 0x7f86d773bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)#1 0x5558b50510cd in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/moddable/xs/sources/xsDataView.c:2883 in fxUint8Getter
Shadow bytes around the buggy address:
0x0ff15a577ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff15a577cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff15a577cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff15a577cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff15a577ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff15a577cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0ff15a577d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff15a577d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff15a577d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff15a577d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff15a577d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
=======ABORTING
Credits: Found by OWL337 team.
The text was updated successfully, but these errors were encountered:
This issue is a duplicate of issue-749 submitted by me, Please check it :)
hope-fly
changed the title
Heap-buffer-overflow xs/sources/xsDataView.c:2939 in fxUint32Getter
Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter
Dec 15, 2021
It appears that root cause here is the same as #749. The POC here is more clear: the problem happens with a malicious compare function. We'll investigate further.
It should be possible to exploit the same root cause with any TypedArray.
Moddable-XS revision
Commit: db8f973
Version: 11.5.0 32 4
Build environment
Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
Test case
Execution & Output
$ ./xst poc.js ================================================================= ========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f86d2bfe7ff at pc 0x5558b4ed93a4 bp 0x7fffebd25aa0 sp 0x7fffebd25a90 READ of size 1 at 0x7f86d2bfe7ff thread T0 #0 0x5558b4ed93a3 in fxUint8Getter /root/moddable/xs/sources/xsDataView.c:2883 #1 0x5558b4e8afbb in fxCompareTypedArrayItem /root/moddable/xs/sources/xsDataView.c:1234 #2 0x5558b4e8e7d9 in fx_TypedArray_prototype_sort /root/moddable/xs/sources/xsDataView.c:2303 #3 0x5558b516fa1d in fxRunID /root/moddable/xs/sources/xsRun.c:842 #4 0x5558b51d642c in fxRunScript /root/moddable/xs/sources/xsRun.c:4766 #5 0x5558b53e48d1 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387 #6 0x5558b4d1c05e in main /root/moddable/xs/tools/xst.c:281 #7 0x7f86d6cd0bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #8 0x5558b4d1d789 in _start (/root/moddable/build/bin/lin/debug/xst+0x93789) 0x7f86d2bfe7ff is located 1 bytes to the left of 16777248-byte region [0x7f86d2bfe800,0x7f86d3bfe820) allocated by thread T0 here: #0 0x7f86d773bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x5558b50510cd in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/moddable/xs/sources/xsDataView.c:2883 in fxUint8Getter Shadow bytes around the buggy address: 0x0ff15a577ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff15a577ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff15a577cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0ff15a577d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff15a577d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =======ABORTINGCredits: Found by OWL337 team.
The text was updated successfully, but these errors were encountered: