ubuntu 18.04
njs 0feca92
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
bug
So, actually this is a logic bug, happened under an really interesting circumstance.
the buggy function is the njs_module_read in the file njs_module.c
if (fstat(fd, &sb) == -1) {
goto fail;
}
text->length = nxt_length(NJS_MODULE_START);
if (S_ISREG(sb.st_mode) && sb.st_size) {
text->length += sb.st_size;
}
text->length += nxt_length(NJS_MODULE_END);
text->start = nxt_mp_alloc(vm->mem_pool, text->length);
if (text->start == NULL) {
goto fail;
}
p = nxt_cpymem(text->start, NJS_MODULE_START, nxt_length(NJS_MODULE_START));
n = read(fd, p, sb.st_size);
as you can see, it read the sb.st_size and sb.st_mode with function fstat. However if we dont provide a common .js file. the S_ISREG(sb.st_mode) will be 0. text->length wont be updated.
and read(fd, p, sb.st_size); still read sb.st_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....
poc
import crypto from '/'
The text was updated successfully, but these errors were encountered:
env
ubuntu 18.04
njs 0feca92
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
bug
So, actually this is a logic bug, happened under an really interesting circumstance.
the buggy function is the njs_module_read in the file njs_module.c
as you can see, it read the sb.st_size and sb.st_mode with function fstat. However if we dont provide a common .js file. the S_ISREG(sb.st_mode) will be 0. text->length wont be updated.
and read(fd, p, sb.st_size); still read sb.st_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....
poc
The text was updated successfully, but these errors were encountered: