heap-use-after-free at jsi_ArrayReduceSubCmd src/jsiArray.c:620

[kvenux]

Build environment:

Ubuntu 16.04
gcc 5.4.0
version: 17c32ef
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc

POC

jsish-1021-000002.txt

Description

Below is the ASAN outputs.

=================================================================
==75149==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000014048 at pc 0x0000004ff1ab bp 0x7ffc17dbe420 sp 0x7ffc17dbe410
READ of size 8 at 0x608000014048 thread T0
#0 0x4ff1aa in jsi_ArrayReduceSubCmd src/jsiArray.c:620
#1 0x4ff1aa in jsi_ArrayReduceRightCmd src/jsiArray.c:662
#2 0x4c4f20 in jsi_FuncCallSub src/jsiProto.c:244
#3 0x73e470 in jsiFunctionSubCall src/jsiEval.c:793
#4 0x73e470 in jsiEvalFunction src/jsiEval.c:828
#5 0x73e470 in jsiEvalCodeSub src/jsiEval.c:1253
#6 0x7509a7 in jsi_evalcode src/jsiEval.c:2188
#7 0x7534fb in jsi_evalStrFile src/jsiEval.c:2494
#8 0x49ae7e in Jsi_Main src/jsiInterp.c:917
#9 0xc07b32 in jsi_main src/main.c:44
#10 0x7f9608aca83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#11 0x434fc8 in _start (/home/keven/Fuzzing/jsish-1021/jsish+0x434fc8)

0x608000014048 is located 40 bytes inside of 96-byte region [0x608000014020,0x608000014080)
freed by thread T0 here:
#0 0x7f96096362ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434

previously allocated by thread T0 here:
#0 0x7f960963679a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x49f5a4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:620 jsi_ArrayReduceSubCmd
Shadow bytes around the buggy address:
0x0c107fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa7c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa7d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa7e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa7f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fffa800: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c107fffa810: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa820: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa830: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa840: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa850: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==75149==ABORTING

[pcmacdon]

Well, I'm glad you found this bug. It made me realise that the other Array callbacks passing this also suffer the same defect. I've changed them all to pass a copy instead.