-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-based Buffer Overflow Vulnerability #175
Comments
so, the problem seems to be in allowing unary
this segfaults in mjs_builtin call, presumably not sure what the correct behavior should be here, fwiw if you |
How do you fuzz js code? how do you mutate and generate valid js code? |
It's compiled by afl-gcc and processed by afl. Generating the the valid js code is not the point, the flaw causes a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted js file. |
You are telling me that the crashing poc .js file is generated by AFL? I thought it's some grammer fuzzing or something like that |
Built:
Jun 30 2021
Details:
heap-based buffer overflow mjs.c:7617 in mjs_set_errorf
Command:
./mjs -f Heap_Buffer_Overflow.js
Result:
==2419050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000178 at pc 0x55555557f3ed bp 0x7fffffffcf40 sp 0x7fffffffcf30
READ of size 8 at 0x604000000178 thread T0
#0 0x55555557f3ec in mjs_set_errorf /home/constantine/mjs/mjs.c:7617
#1 0x555555598395 in parse_literal /home/constantine/mjs/mjs.c:12166
#2 0x55555559861b in parse_call_dot_mem /home/constantine/mjs/mjs.c:12175
#3 0x5555555990d3 in parse_postfix /home/constantine/mjs/mjs.c:12209
#4 0x55555559932c in parse_unary /home/constantine/mjs/mjs.c:12228
#5 0x5555555995d1 in parse_mul_div_rem /home/constantine/mjs/mjs.c:12241
#6 0x555555599ba8 in parse_plus_minus /home/constantine/mjs/mjs.c:12246
#7 0x55555559a1c1 in parse_shifts /home/constantine/mjs/mjs.c:12251
#8 0x55555559a648 in parse_comparison /home/constantine/mjs/mjs.c:12255
#9 0x55555559a9bb in parse_equality /home/constantine/mjs/mjs.c:12259
#10 0x55555559ae46 in parse_bitwise_and /home/constantine/mjs/mjs.c:12264
#11 0x55555559b3ec in parse_bitwise_xor /home/constantine/mjs/mjs.c:12269
#12 0x55555559b992 in parse_bitwise_or /home/constantine/mjs/mjs.c:12274
#13 0x55555559bf38 in parse_logical_and /home/constantine/mjs/mjs.c:12279
#14 0x55555559c4de in parse_logical_or /home/constantine/mjs/mjs.c:12284
#15 0x7fffffffdc0f ([stack]+0x1fc0f)
Address 0x604000000178 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/constantine/mjs/mjs.c:7617 in mjs_set_errorf
Shadow bytes around the buggy address:
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2419050==ABORTING
PoC:
Heap_Buffer_Overflow.js.tar.gz
The text was updated successfully, but these errors were encountered: