Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0 #150

Open
joanxqdeng opened this issue Apr 28, 2020 · 0 comments

Comments

@joanxqdeng
Copy link

Here are 3 ERROR。

ERROR 1:
./id:000007,sig:06,src:003011,op:havoc,rep:8
mjs.out: mjs.c:10530: get_cb_impl_by_signature: Assertion `userdata_idx > 0' failed.
run_crashes.sh: line 29: 2327 Aborted (core dumped) ../../../../target/mjs/mjs.out $line
poc1.txt

ERROR 2
./id:000019,sig:06,src:002654,op:havoc,rep:2
mjs.out: mjs.c:12088: frozen_cb: Assertion `ctx->frame == NULL' failed.
run_crashes.sh: line 29: 2523 Aborted (core dumped) ../../../../target/mjs/mjs.out $line
poc2.txt

ERROR 3
./id:000000,sig:06,src:000006,op:havoc,rep:2

==2619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0
READ of size 1 at 0x60600000eff5 thread T0
#0 0x40a9e1 in json_get_escape_len /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834
#1 0x40a9e1 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5894
#2 0x410366 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5814
#3 0x410366 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5993
#4 0x413683 in json_parse_pair /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6058
#5 0x413683 in json_parse_object /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6070
#6 0x413683 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5996
#7 0x44ac53 in json_doit /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6083
#8 0x44ac53 in json_walk /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6466
#9 0x46f3a0 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12132
#10 0x46f3a0 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#11 0x496f16 in mjs_execute /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9647
#12 0x49b9b7 in mjs_exec_internal /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9865
#13 0x40340b in mjs_exec_file /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9888
#14 0x40340b in main /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12244
#15 0x7f96c168382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x403bb8 in _start (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x403bb8)

0x60600000eff5 is located 0 bytes to the right of 53-byte region [0x60600000efc0,0x60600000eff5)
allocated by thread T0 here:
#0 0x7f96c1cc9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x46f370 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12130
#2 0x46f370 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#3 0x46ee6f (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x46ee6f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834 json_get_escape_len
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[05]fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2619==ABORTING
poc3.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant