You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
=================================================================
==31435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000c8f8 at pc 0x0000005ac45b bp 0x7ffdbfd7fdb0 sp 0x7ffdbfd7fda0
READ of size 8 at 0x62500000c8f8 thread T0
#0 0x5ac45a in jsiEvalCodeSub src/jsiEval.c:1363#1 0x5ba22a in jsi_evalcode src/jsiEval.c:2223#2 0x5be353 in jsi_evalStrFile src/jsiEval.c:2676#3 0x5bec1a in Jsi_EvalFile src/jsiEval.c:2725#4 0x43db99 in Jsi_Main src/jsiInterp.c:936#5 0x7928e2 in jsi_main src/main.c:47#6 0x7929bc in main src/main.c:55#7 0x7f947901e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)#8 0x414f18 in _start (/home/lily/Desktop/01-afl-targets/crash-analysis/jsish/jsish+0x414f18)
0x62500000c8f8 is located 8 bytes to the left of 8192-byte region [0x62500000c900,0x62500000e900)
allocated by thread T0 here:
#0 0x7f9479b8a9c1 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)#1 0x4506dc in Jsi_Realloc src/jsiUtils.c:47#2 0x59f44e in jsiValuesAlloc src/jsiEval.c:88#3 0x59f5e3 in jsiSetupStack src/jsiEval.c:101#4 0x5aa61c in jsiEvalCodeSub src/jsiEval.c:1196#5 0x5ba22a in jsi_evalcode src/jsiEval.c:2223#6 0x5be353 in jsi_evalStrFile src/jsiEval.c:2676#7 0x5bec1a in Jsi_EvalFile src/jsiEval.c:2725#8 0x43db99 in Jsi_Main src/jsiInterp.c:936#9 0x7928e2 in jsi_main src/main.c:47#10 0x7929bc in main src/main.c:55#11 0x7f947901e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1363 jsiEvalCodeSub
Shadow bytes around the buggy address:
0x0c4a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==31435==ABORTING
_jsi_TOQ is defined as interp->Stack[interp->framePtr->Sp-2] on line 11.
In this case, on line 1363, interp->framePtr->Sp equals 1 then minus 2, which caused an integer overflow.
The text was updated successfully, but these errors were encountered:
jsish reversion
4e5066c
master
Build platform
Ubuntu 16.04.7 LTS (Linux 4.15.0-142-generic x86_64)
Build steps
Test case
poc.js
Output
================================================================= ==31435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000c8f8 at pc 0x0000005ac45b bp 0x7ffdbfd7fdb0 sp 0x7ffdbfd7fda0 READ of size 8 at 0x62500000c8f8 thread T0 #0 0x5ac45a in jsiEvalCodeSub src/jsiEval.c:1363 #1 0x5ba22a in jsi_evalcode src/jsiEval.c:2223 #2 0x5be353 in jsi_evalStrFile src/jsiEval.c:2676 #3 0x5bec1a in Jsi_EvalFile src/jsiEval.c:2725 #4 0x43db99 in Jsi_Main src/jsiInterp.c:936 #5 0x7928e2 in jsi_main src/main.c:47 #6 0x7929bc in main src/main.c:55 #7 0x7f947901e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #8 0x414f18 in _start (/home/lily/Desktop/01-afl-targets/crash-analysis/jsish/jsish+0x414f18) 0x62500000c8f8 is located 8 bytes to the left of 8192-byte region [0x62500000c900,0x62500000e900) allocated by thread T0 here: #0 0x7f9479b8a9c1 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1) #1 0x4506dc in Jsi_Realloc src/jsiUtils.c:47 #2 0x59f44e in jsiValuesAlloc src/jsiEval.c:88 #3 0x59f5e3 in jsiSetupStack src/jsiEval.c:101 #4 0x5aa61c in jsiEvalCodeSub src/jsiEval.c:1196 #5 0x5ba22a in jsi_evalcode src/jsiEval.c:2223 #6 0x5be353 in jsi_evalStrFile src/jsiEval.c:2676 #7 0x5bec1a in Jsi_EvalFile src/jsiEval.c:2725 #8 0x43db99 in Jsi_Main src/jsiInterp.c:936 #9 0x7928e2 in jsi_main src/main.c:47 #10 0x7929bc in main src/main.c:55 #11 0x7f947901e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1363 jsiEvalCodeSub Shadow bytes around the buggy address: 0x0c4a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff9940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==31435==ABORTING_jsi_TOQ is defined as interp->Stack[interp->framePtr->Sp-2] on line 11.
In this case, on line 1363, interp->framePtr->Sp equals 1 then minus 2, which caused an integer overflow.
The text was updated successfully, but these errors were encountered: