Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow at Jsi_DSAppendLen src/jsiDString.c:109 #31

Closed
kvenux opened this issue Oct 31, 2020 · 1 comment
Closed

heap-buffer-overflow at Jsi_DSAppendLen src/jsiDString.c:109 #31

kvenux opened this issue Oct 31, 2020 · 1 comment

Comments

@kvenux
Copy link

kvenux commented Oct 31, 2020

Build environment:

Ubuntu 16.04
gcc 5.4.0
version: 73f457f
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc

POC

jsish-1024-000133.txt

Description

Below is the ASAN outputs.

==42992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000a4f2 at pc 0x7fe14fca0935 bp 0x7ffe63bb9fa0 sp 0x7ffe63bb9748
READ of size 96 at 0x60b00000a4f2 thread T0
#0 0x7fe14fca0934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x5c12d1 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x5c12d1 in Jsi_DSAppendLen src/jsiDString.c:109
#3 0x5ebb2e in Jsi_UtfSubstr src/jsiUtf8.c:130
#4 0x4e74f9 in _StringTrimCmd src/jsiString.c:370
#5 0x4e74f9 in StringTrimCmd src/jsiString.c:378
#6 0x4c405d in jsi_FuncCallSub src/jsiProto.c:244
#7 0x73eaa4 in jsiFunctionSubCall src/jsiEval.c:790
#8 0x73eaa4 in jsiEvalFunction src/jsiEval.c:825
#9 0x73eaa4 in jsiEvalCodeSub src/jsiEval.c:1250
#10 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#11 0x4c517a in jsi_FuncCallSub src/jsiProto.c:220
#12 0x73e7ca in jsiFunctionSubCall src/jsiEval.c:790
#13 0x73e7ca in jsiEvalFunction src/jsiEval.c:825
#14 0x73e7ca in jsiEvalCodeSub src/jsiEval.c:1250
#15 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#16 0x75317f in jsi_evalStrFile src/jsiEval.c:2496
#17 0x499c46 in Jsi_Main src/jsiInterp.c:917
#18 0xc0345a in jsi_main src/main.c:44
#19 0x7fe14f14083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#20 0x434f48 in _start (/home/keven/Fuzzing/jsish-1024/jsish+0x434f48)

0x60b00000a4f2 is located 0 bytes to the right of 98-byte region [0x60b00000a490,0x60b00000a4f2)
allocated by thread T0 here:
#0 0x7fe14fcac602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x49e422 in Jsi_Malloc src/jsiUtils.c:52

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c167fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9490: fa fa 00 00 00 00 00 00 00 00 00 00 00 00[02]fa
0x0c167fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fff94b0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c167fff94c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c167fff94d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c167fff94e0: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==42992==ABORTING

@pcmacdon
Copy link
Owner

trim() was trying to live in the UTF world, l but that doesn't really make sense, as the implementation is non-standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants