We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs_default_module_loader (/src/njs/src/njs_module.c)
root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 ================================================================= ==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8 WRITE of size 21313 at 0x7ffe0b253e41 thread T0 #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18 #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11 #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11 #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14 #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24 #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23 #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11 #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11 #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11 #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15 #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d) Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363 This frame has 6 object(s): [32, 4129) 'src.i' (line 115) [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2 0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22820==ABORTING
The issue was fixed in ab1702c.
FYI, the problem was committed in 2ff8b26 which was not released yet.
https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/
The text was updated successfully, but these errors were encountered:
Fixed in ab1702c.
Sorry, something went wrong.
No branches or pull requests
Description
njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs_default_module_loader
(/src/njs/src/njs_module.c)
ENV
BT
Fixed
The issue was fixed in ab1702c.
FYI, the problem was committed in 2ff8b26 which was not released yet.
Reference
https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/
The text was updated successfully, but these errors were encountered: