AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0

[joanxqdeng]

Here are 3 ERROR。

ERROR 1:
./id:000007,sig:06,src:003011,op:havoc,rep:8
mjs.out: mjs.c:10530: get_cb_impl_by_signature: Assertion `userdata_idx > 0' failed.
run_crashes.sh: line 29: 2327 Aborted (core dumped) ../../../../target/mjs/mjs.out $line
poc1.txt

ERROR 2
./id:000019,sig:06,src:002654,op:havoc,rep:2
mjs.out: mjs.c:12088: frozen_cb: Assertion `ctx->frame == NULL' failed.
run_crashes.sh: line 29: 2523 Aborted (core dumped) ../../../../target/mjs/mjs.out $line
poc2.txt

ERROR 3
./id:000000,sig:06,src:000006,op:havoc,rep:2

==2619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0
READ of size 1 at 0x60600000eff5 thread T0
#0 0x40a9e1 in json_get_escape_len /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834
#1 0x40a9e1 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5894
#2 0x410366 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5814
#3 0x410366 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5993
#4 0x413683 in json_parse_pair /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6058
#5 0x413683 in json_parse_object /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6070
#6 0x413683 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5996
#7 0x44ac53 in json_doit /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6083
#8 0x44ac53 in json_walk /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6466
#9 0x46f3a0 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12132
#10 0x46f3a0 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#11 0x496f16 in mjs_execute /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9647
#12 0x49b9b7 in mjs_exec_internal /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9865
#13 0x40340b in mjs_exec_file /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9888
#14 0x40340b in main /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12244
#15 0x7f96c168382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x403bb8 in _start (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x403bb8)

0x60600000eff5 is located 0 bytes to the right of 53-byte region [0x60600000efc0,0x60600000eff5)
allocated by thread T0 here:
#0 0x7f96c1cc9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x46f370 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12130
#2 0x46f370 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#3 0x46ee6f (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x46ee6f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834 json_get_escape_len
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[05]fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2619==ABORTING
poc3.txt