Heap-based Buffer Overflow Vulnerability #175
Comments
|
so, the problem seems to be in allowing unary this segfaults in mjs_builtin call, presumably not sure what the correct behavior should be here, fwiw if you |
|
How do you fuzz js code? how do you mutate and generate valid js code? |
It's compiled by afl-gcc and processed by afl. Generating the the valid js code is not the point, the flaw causes a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted js file. |
|
You are telling me that the crashing poc .js file is generated by AFL? I thought it's some grammer fuzzing or something like that |
Built:
Jun 30 2021
Details:
heap-based buffer overflow mjs.c:7617 in mjs_set_errorf
Command:
./mjs -f Heap_Buffer_Overflow.js
Result:
==2419050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000178 at pc 0x55555557f3ed bp 0x7fffffffcf40 sp 0x7fffffffcf30
READ of size 8 at 0x604000000178 thread T0
#0 0x55555557f3ec in mjs_set_errorf /home/constantine/mjs/mjs.c:7617
#1 0x555555598395 in parse_literal /home/constantine/mjs/mjs.c:12166
#2 0x55555559861b in parse_call_dot_mem /home/constantine/mjs/mjs.c:12175
#3 0x5555555990d3 in parse_postfix /home/constantine/mjs/mjs.c:12209
#4 0x55555559932c in parse_unary /home/constantine/mjs/mjs.c:12228
#5 0x5555555995d1 in parse_mul_div_rem /home/constantine/mjs/mjs.c:12241
#6 0x555555599ba8 in parse_plus_minus /home/constantine/mjs/mjs.c:12246
#7 0x55555559a1c1 in parse_shifts /home/constantine/mjs/mjs.c:12251
#8 0x55555559a648 in parse_comparison /home/constantine/mjs/mjs.c:12255
#9 0x55555559a9bb in parse_equality /home/constantine/mjs/mjs.c:12259
#10 0x55555559ae46 in parse_bitwise_and /home/constantine/mjs/mjs.c:12264
#11 0x55555559b3ec in parse_bitwise_xor /home/constantine/mjs/mjs.c:12269
#12 0x55555559b992 in parse_bitwise_or /home/constantine/mjs/mjs.c:12274
#13 0x55555559bf38 in parse_logical_and /home/constantine/mjs/mjs.c:12279
#14 0x55555559c4de in parse_logical_or /home/constantine/mjs/mjs.c:12284
#15 0x7fffffffdc0f ([stack]+0x1fc0f)
Address 0x604000000178 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/constantine/mjs/mjs.c:7617 in mjs_set_errorf
Shadow bytes around the buggy address:
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2419050==ABORTING
PoC:
Heap_Buffer_Overflow.js.tar.gz
The text was updated successfully, but these errors were encountered: