Hello, I am shuoz of alpha lab of topsec. I fuzz njs and found a heap overflow bug.
./njs ./tmp.js
fuzz@fuzz:~/Desktop/fuzzproject/njs/build$ ./njs ./tmp.js
INFO: Seed: 2208882516
INFO: Loaded 1 modules (8780 guards): [0x8a15a0, 0x8a9ed0),
./njs: Running 1 inputs 1 time(s) each.
Running: crash-0c9fced77823aa506239627a5473e8c4bb55ec96
=================================================================
==16711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000039b at pc 0x0000004dc4e2 bp 0x7ffc117a8770 sp 0x7ffc117a7f20
READ of size 217 at 0x61100000039b thread T0
#0 0x4dc4e1 in __asan_memcpy (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1)
#1 0x521ce2 in nxt_vsprintf /home/fuzz/Desktop/fuzzproject/njs/nxt/nxt_sprintf.c:429:15
#2 0x5ada7b in njs_parser_scope_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2365:9
#3 0x5ada7b in njs_parser_lexer_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2395
#4 0x58ab62 in njs_regexp_literal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_regexp.c:364:5
#5 0x5b55fc in njs_parser_terminal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_terminal.c:106:17
#6 0x5bcd95 in njs_parser_call_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:748:17
#7 0x5bc19b in njs_parser_post_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:689:13
#8 0x5bc19b in njs_parser_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:649
#9 0x5bc19b in njs_parser_unary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:553
#10 0x5bbb9b in njs_parser_exponential_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:476:13
#11 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#12 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#13 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#14 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#15 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#16 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#17 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#18 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#19 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#20 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#21 0x5bafec in njs_parser_conditional_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:352:13
#22 0x5bafec in njs_parser_assignment_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:228
#23 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
#24 0x5af3f1 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:413:21
#25 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
#26 0x5b3af6 in njs_parser_block_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:465:17
#27 0x5ae2a2 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:365:16
#28 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
#29 0x5a940a in njs_parser /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:131:17
#30 0x527ae4 in njs_vm_compile /home/fuzz/Desktop/fuzzproject/njs/njs/njs.c:254:11
#31 0x517338 in njs_process_script /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:780:11
#32 0x516714 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:637:11
#33 0x516714 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
#34 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
#35 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
#36 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
#37 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
#38 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
#39 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#40 0x41d769 in _start (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x41d769)
0x61100000039b is located 0 bytes to the right of 219-byte region [0x6110000002c0,0x61100000039b)
allocated by thread T0 here:
#0 0x4ddaa0 in realloc (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4ddaa0)
#1 0x516488 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:569:20
#2 0x516488 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
#3 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
#4 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
#5 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
#6 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
#7 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
#8 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c227fff8020: 00 00 00 03 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8070: 00 00 00[03]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16711==ABORTING
Hello, I am shuoz of alpha lab of topsec. I fuzz njs and found a heap overflow bug.
./njs ./tmp.js
pocfile:https://github.com/xcainiao/poc/blob/master/tmp.js
The text was updated successfully, but these errors were encountered: