Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

illegal memcpy during njs_vmcode_typeof in /njs/src/njs_vmcode.c:1521:18 #450

Closed
anonym0us1337 opened this issue Dec 24, 2021 · 2 comments
Closed
Milestone

Comments

@anonym0us1337
Copy link

anonym0us1337 commented Dec 24, 2021

Env

Version    : 0.7.0
Git Commit : 2da5d8b246b806bee6f74b575217ec3b61a25548
OS         : Ubuntu 20.04
Configure  : ./configure --address-sanitizer=YES

POC

function main() {
    const v2 = new ArrayBuffer();
    const v3 = new DataView(v2);
    const v5 = typeof v3;
}
main();

Stack Dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==466645==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe5fea5cc5b bp 0x7ffe64718cb0 sp 0x7ffe64718468 T0)
==466645==The signal is caused by a READ memory access.
==466645==Hint: address points to the zero page.
    #0 0x7fe5fea5cc5b in memcpy /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
    #1 0x495737 in __asan_memcpy (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x495737)
    #2 0x4e54bf in njs_vmcode_typeof /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:1521:18
    #3 0x4e54bf in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:594:23
    #4 0x53ae40 in njs_function_lambda_call /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_function.c:701:11
    #5 0x4e4648 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:783:23
    #6 0x4dea17 in njs_vm_start /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vm.c:493:11
    #7 0x4c7f3d in njs_process_script /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:881:19
    #8 0x4c7375 in njs_process_file /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:615:11
    #9 0x4c7375 in main /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:315:15
    #10 0x7fe5fe9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41dabd in _start (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x41dabd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142 in memcpy
==466645==ABORTING

Credit

P1umer, afang5472, Kotori of NeSE@IIE

@drsm
Copy link
Contributor

drsm commented Dec 24, 2021

Hi!
@anonym0us1337

Thank you for report.

Here is the patch:

# HG changeset patch
# User Artem S. Povalyukhin <artem.povaluhin@gmail.com>
# Date 1640329215 -10800
#      Fri Dec 24 10:00:15 2021 +0300
# Node ID 53b292346e7f63c3ea952ab08aa8619d955a8bc2
# Parent  4d4657128baffb8eb6b6958c436075387b57530f
Fixed null pointer dereference in njs_vmcode_typeof.

diff -r 4d4657128baf -r 53b292346e7f src/njs_vmcode.c
--- a/src/njs_vmcode.c  Tue Dec 21 17:42:26 2021 +0000
+++ b/src/njs_vmcode.c  Fri Dec 24 10:00:15 2021 +0300
@@ -1516,6 +1516,7 @@ njs_vmcode_typeof(njs_vm_t *vm, njs_valu
         &njs_string_object,
         &njs_string_object,
         &njs_string_object,
+        &njs_string_object,
     };
 
     vm->retval = *types[value->type];
diff -r 4d4657128baf -r 53b292346e7f src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c  Tue Dec 21 17:42:26 2021 +0000
+++ b/src/test/njs_unit_test.c  Fri Dec 24 10:00:15 2021 +0300
@@ -6390,6 +6390,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("(new DataView(new ArrayBuffer(3)))"),
       njs_str("[object DataView]") },
 
+    { njs_str("var x = new ArrayBuffer(3); [typeof x, typeof new DataView(x)]"),
+      njs_str("object,object") },
+
     { njs_str("(new DataView(new ArrayBuffer(3))).buffer"),
       njs_str("[object ArrayBuffer]") },
 

@xeioex xeioex added this to the 0.7.1 milestone Dec 24, 2021
@P1umer
Copy link

P1umer commented Feb 15, 2022

This issue was assigned CVE-2021-46461.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants