Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader #493

Closed
salmonx opened this issue Apr 13, 2022 · 1 comment
Closed

[Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader #493

salmonx opened this issue Apr 13, 2022 · 1 comment
Labels
bug

Comments

@salmonx
Copy link

salmonx commented Apr 13, 2022
edited
Loading

Description

njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs_default_module_loader
(/src/njs/src/njs_module.c)

ENV

  • Version : 0.7.3
  • Commit : 222d6fd
  • OS : Ubuntu 18.04
  • Configure : CC=clang-14 ./configure --address-sanitizer=YES

BT

root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 
=================================================================
==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8
WRITE of size 21313 at 0x7ffe0b253e41 thread T0
    #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18
    #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11
    #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11
    #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14
    #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24
    #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23
    #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11
    #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11
    #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11
    #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15
    #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d)

Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame
    #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363

  This frame has 6 object(s):
    [32, 4129) 'src.i' (line 115)
    [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable
    [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable
    [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable
    [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable
    [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
  0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22820==ABORTING

Fixed

The issue was fixed in ab1702c.

FYI, the problem was committed in 2ff8b26 which was not released yet.

Reference

https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/
@xeioex xeioex added the bug label Apr 13, 2022
@xeioex
Copy link
Contributor

xeioex commented Apr 13, 2022

Fixed in ab1702c.

@xeioex xeioex closed this as completed Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeioex @salmonx