Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation Fault in getprop_builtin_foreign #254

Open
pip-izony opened this issue Nov 23, 2023 · 1 comment
Open

Segmentation Fault in getprop_builtin_foreign #254

pip-izony opened this issue Nov 23, 2023 · 1 comment

Comments

@pip-izony
Copy link

pip-izony commented Nov 23, 2023
edited
Loading

Environment

Ubuntu 22.04.3 LTS

Compiler

clang version 11.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix

Affected Version

mjs 2.20.0

Step to reproduce

cd mjs 
git checkout b1b6eac6b1e5b830a5cb14f8f4dc690ef3162551 
export LDFLAGS="-lpthread -latomic" 
./afl-clang -DMJS_MAIN mjs.c -fno-inline -ldl -o mjs-bin -fsanitize=address -g 
./mjs-bin -f PoCfile

Contents of PoCfile

die[8888888888]

Expected behavior

Print error or warning messages handled within mjs.

Current behavior

AddressSanitizer:DEADLYSIGNAL 
================================================================= 
==203500==ERROR: AddressSanitizer: SEGV on unknown address 0x000012239818 (pc 0x000000555e16 bp 0x7ffd2723c930 sp 0x7ffd2723c860 T0) 
==203500==The signal is caused by a READ memory access. 
    #0 0x555e16 in getprop_builtin_foreign /mjs/mjs.c:8472:31 
    #1 0x55392c in getprop_builtin /mjs/mjs.c:8509:17 
    #2 0x527c8e in mjs_execute /mjs/mjs.c:8661:14 
    #3 0x523d0c in mjs_exec_internal /mjs/mjs.c:9044:5 
    #4 0x5240a7 in mjs_exec_file /mjs/mjs.c:9067:11 
    #5 0x52c77d in main /mjs/mjs.c:11406:13 
    #6 0x7f39b8195082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16 
    #7 0x41c3bd in _start (/mjs/mjs-bin+0x41c3bd) 
AddressSanitizer can not provide additional info. 
SUMMARY: AddressSanitizer: SEGV /mjs/mjs.c:8472:31 in getprop_builtin_foreign 
==203500==ABORTING

Conclusion

The bug was triggered due to an attempt to access memory locations that are restricted when the input string contains Built-in APIs.
This report specifically provides information when the input string contained the substring "die" (input string: "die[8888888888]"). The presence of "die[88888888]" within the input string led to a segment fault, as it incorrectly identified an inaccessible address of the Built-in APIs as an accessible foreign pointer. Upon further testing with other Built-in APIs, it was discovered that the issue applied to all of the Built-in APIs mentioned in the README.md documentation.

I will submit a Pull Request to address this issue.
pip-izony pushed a commit to pip-izony/mjs that referenced this issue Nov 23, 2023
Fix cesanta#254: Segmentation fault in Built-in APIs
21eb071
@pip-izony
Copy link
Author

This issue has been assigned CVE-2023-50044

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pip-izony