Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString #2121

Closed
hope-fly opened this issue Dec 21, 2021 · 1 comment
Closed

Stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString #2121

hope-fly opened this issue Dec 21, 2021 · 1 comment

Comments

@hope-fly
Copy link

Espruino revision

Commit: 53108085
Version: 2v11.251

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
export CCFLAGS='-g -fsanitize=address -fno-omit-frame-pointer'
make clean && make
Test case
var result = (new Array(64)."a", "b",expected,actual(new Array(64))).concat(["H"]);
var value = result[0];
if (value !== void 0)
    throw "Error" + value;
Execution & Output
./Espruino/espruino poc.js

=================================================================
=========ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef778ec61 at pc 0x55e21c41efe8 bp 0x7ffef778eb70 sp 0x7ffef778eb60
READ of size 1 at 0x7ffef778ec61 thread T0
    #0 0x55e21c41efe7 in jsvNewFromString src/jsvar.c:910
    #1 0x55e21c456e0c in jsvAddNamedChild src/jsvar.c:2581
    #2 0x55e21c52d165 in jspeAddNamedFunctionParameter src/jsparse.c:1442
    #3 0x55e21c5540ee in jspeExpressionOrArrowFunction src/jsparse.c:1469
    #4 0x55e21c555c06 in jspeFactor src/jsparse.c:1622
    #5 0x55e21c53891f in jspeFactorFunctionCall src/jsparse.c:1160
    #6 0x55e21c539f38 in jspePostfixExpression src/jsparse.c:1786
    #7 0x55e21c541192 in jspeBinaryExpression src/jsparse.c:1955
    #8 0x55e21c541192 in jspeConditionalExpression src/jsparse.c:1991
    #9 0x55e21c541192 in jspeAssignmentExpression src/jsparse.c:2050
    #10 0x55e21c541192 in jspeStatementVar src/jsparse.c:2165
    #11 0x55e21c54b6d4 in jspeBlockOrStatement src/jsparse.c:2124
    #12 0x55e21c54da1e in jspParse src/jsparse.c:2136
    #13 0x55e21c55c3ea in jspEvaluateVar src/jsparse.c:2996
    #14 0x55e21c55c3ea in jspEvaluate src/jsparse.c:3026
    #15 0x55e21c36c025 in main targets/linux/main.c:460
    #16 0x7fa0f5814bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x55e21c36fbc9 in _start (/root/Espruino/espruino+0x4ebc9)
Address 0x7ffef778ec61 is located in stack of thread T0 at offset 97 in frame
    #0 0x55e21c52cedf in jspeAddNamedFunctionParameter src/jsparse.c:1437
This frame has 1 object(s):
    [32, 97) 'buf' <== Memory access at offset 97 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/jsvar.c:910 in jsvNewFromString
Shadow bytes around the buggy address:
    0x10005eee9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x10005eee9d80: f1 f1 f1 f1 00 00 00 00 00 00 00 00[01]f2 f2 f2
    0x10005eee9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10005eee9da0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
    0x10005eee9db0: 00 00 00 00 00 00 00 f2 00 00 00 00 00 00 00 00
    0x10005eee9dc0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
    0x10005eee9dd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
=========ABORTING

@gfwilliams
Copy link
Member

Thanks! I believe this is now fixed if you want to check - it was an unterminated string that happened when converting an array to a function parameter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants