Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap overflow #16

Closed
rain6851 opened this issue May 20, 2020 · 2 comments
Closed

heap overflow #16

rain6851 opened this issue May 20, 2020 · 2 comments

Comments

@rain6851
Copy link

Enviroment

operating system: ubuntu18.04
compile command: export JSI__SANITIZE=1 && make
test command: ./jsish poc1 

poc:

function fail(message) {
}
function assert(condition, message) {
    if (!condition)
        fail(message);
}
function assertEquals(expression, value, message) {
    if (expression != value) {
        expression = ('' + expression).replace(/[\r\n]+/g, ')aOD$,0ZA>`W[oxl~4zXIG');
        value = ('' + value).replace(/\r?\n/g, '^A-}nr4+Cnb-(+`2M,');
        var FDwc = Proxy;
        fail('' + value + '' + expression + ';W' + message);
    }
}
var d;
d = null;
var jWeN = assert(null, null);
var QJmz = JSON;
for (var i = 0; i < loops; i += 1) {
    d = new Date();
    d = new function (x) {
        return {
            toString: function () {
                return x.toString();
            }
        };
    }(d.valueOf());
    var sDPa = new Map([
        [null],
        [
            null,
            null,
            null,
            null
        ]
    ]);
    d = d.parentNode;
    assert(null, null);
    var pxeM = Proxy;
    var bsAF = assert(null, null);
}

vulnerability description

Below is the ASAN output, We can find that the code has a heap overflow in jsi_evalcode_sub src/jsiEval.c:1325
image

image

@pcmacdon
Copy link
Owner

Ouch. This is more simply reproduced with:

var x = assert(true);

The problem: "assert" and "LogDebug", "LogTest", and "LogTrace" are mapped out as noops and it should have mapped out the assigne as well.

A fix has been put in Release "3.0.17".

pcmacdon pushed a commit that referenced this issue May 20, 2020
… or assign result of assert/LogDebug/...

FossilOrigin-Name: 9f3a8079d766d1513c2e8e9f5aae19758bafbd336d40f10028088bd61983db3e
@pcmacdon
Copy link
Owner

Release "3.0.18" now makes it an error to redefine or assign result of assert/LogDebug/...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants