Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global-buffer-overflow in nxt_utf8_decode nxt/nxt_utf8.c:72 #183

Closed
wrauner opened this issue Jun 20, 2019 · 5 comments
Closed

global-buffer-overflow in nxt_utf8_decode nxt/nxt_utf8.c:72 #183

wrauner opened this issue Jun 20, 2019 · 5 comments
Assignees
@lexborisov
Labels
bug fluff fuzzer

Comments

@wrauner
Copy link

wrauner commented Jun 20, 2019

NJS version:

changeset:   1011:2fb43ddbce84
tag:         tip
user:        hongzhidao <hongzhidao@gmail.com>
date:        Mon Jun 10 22:23:56 2019 -0400
summary:     Added property getter/setter support in Object.defineProperty().

JS Testcase:

(new InternalError(new Object(), RegExp().source.replace((Object((ReferenceError()+{get: function () {
}}))||Object.isExtensible()), RegExp().source.replace((RegExp()||ignoreCase.startsWith()), function v0() {
}, Number(), Boolean(), Error(), TypeError(), Boolean(), Error(), Object(), 0)))+0)

ASAN log:

=================================================================
==3788==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5566629c2ab8 at pc 0x55666274915c bp 0x7ffefaee9990 sp 0x7ffefaee9980
READ of size 1 at 0x5566629c2ab8 thread T0
    #0 0x55666274915b in nxt_utf8_decode nxt/nxt_utf8.c:72
    #1 0x556662749796 in nxt_utf8_length nxt/nxt_utf8.c:271
    #2 0x5566625d3857 in njs_string_replace_join njs/njs_string.c:3661
    #3 0x5566625e40ee in njs_string_replace_regexp_join njs/njs_string.c:3280
    #4 0x5566625e40ee in njs_string_replace_regexp njs/njs_string.c:3163
    #5 0x5566625e40ee in njs_string_prototype_replace njs/njs_string.c:3058
    #6 0x55666268dc13 in njs_function_native_call njs/njs_function.c:587
    #7 0x5566625b0592 in njs_vmcode_continuation njs/njs_vm.c:2336
    #8 0x5566625b0cb3 in njs_vmcode_interpreter njs/njs_vm.c:159
    #9 0x5566625ab693 in njs_vm_start njs/njs.c:594
    #10 0x55666258e8a9 in njs_process_script njs/njs_shell.c:772
    #11 0x556662587cc8 in njs_process_file njs/njs_shell.c:621
    #12 0x556662587cc8 in main njs/njs_shell.c:283
    #13 0x7f67abf81b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x556662589db9 in _start (/home/build/njs/build/njs+0x2bdb9)

0x5566629c2ab8 is located 40 bytes to the left of global variable '__compound_literal.29' defined in 'njs/njs_object.c:2284:18' (0x5566629c2ae0) of size 56
0x5566629c2ab8 is located 0 bytes to the right of global variable '__compound_literal.30' defined in 'njs/njs_object.c:2292:18' (0x5566629c2a80) of size 56
SUMMARY: AddressSanitizer: global-buffer-overflow nxt/nxt_utf8.c:72 in nxt_utf8_decode
Shadow bytes around the buggy address:
  0x0aad4c530500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aad4c530510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aad4c530520: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0aad4c530530: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 f9 f9
  0x0aad4c530540: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
=>0x0aad4c530550: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 00 00 00
  0x0aad4c530560: 00 00 00 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530570: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530580: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c530590: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aad4c5305a0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3788==ABORTING

Found by fluff
@wrauner wrauner changed the title heap-buffer-overflow in nxt_utf8_decode nxt/nxt_utf8.c:72 global-buffer-overflow in nxt_utf8_decode nxt/nxt_utf8.c:72 Jun 20, 2019
@wrauner wrauner mentioned this issue Jun 20, 2019
Closed
@lexborisov lexborisov self-assigned this Jun 27, 2019
@lexborisov
Copy link
Contributor

Small example for crash:

"abc".replace(/(z*)/g, function v0() {return "124"})

Work in progress.

@nluedtke
Copy link

nluedtke commented Jul 1, 2019

This was assigned CVE-2019-13067.

@xeioex
Copy link
Contributor

xeioex commented Jul 1, 2019
edited

@nluedtke Did you create this CVE? If yes, can you please explain how did you calculate the base score? Given that njs never executes js code from the network, only from a conf file which is a safe source. Please also do not create similar CVEs from such tickets.

@nluedtke
Copy link

nluedtke commented Jul 2, 2019

I did not create this. Just linking it here for awareness. It is entirely possible the score on NVD is incorrect, it happens often.

@jdelta-RBS
Copy link

jdelta-RBS commented Jul 2, 2019
edited

^^ Yeah CVE / NVD have plenty of garbage information, especially when researchers don't coordinate with vendors, and NVD doesn't vet the information (which they almost never really do).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lexborisov lexborisov

Labels
bug fluff fuzzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xeioex @lexborisov @wrauner @nluedtke @jdelta-RBS