A memory corruption bug in the jswrap_object.c

[l0kihardt]

env

Ubuntu 18.04
Espruino 6ea4c0a

bug

This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.

It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.

void jswrap_function_replaceWith(JsVar *oldFunc, JsVar *newFunc) {
  if (!jsvIsFunction(newFunc)) {
    jsExceptionHere(JSET_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
    return;
  }
  // If old was native or vice versa...
  if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
    if (jsvIsNativeFunction(newFunc))
      oldFunc->flags |= JSV_NATIVE;
    else
      oldFunc->flags &= ~JSV_NATIVE;
  }
  // If old fn started with 'return' or vice versa...
  if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
    if (jsvIsFunctionReturn(newFunc))
      oldFunc->flags = (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION_RETURN;
    else
      oldFunc->flags = (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION;
  }

poc

var a "should equal";
for (var i in a)
    a[i]=i;

function test(a,b) {
    return 1;
}

E.mapInPlace.replaceWith.call(a, function(x) {
    return test([].map.call("Hello", function(x) {
        return x + 1;
    }), "H1,e1,l1,l1,o1");
});

[gfwilliams]

Thanks!