==2619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0
READ of size 1 at 0x60600000eff5 thread T0
0 0x40a9e1 in json_get_escape_len /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834
#1 0x40a9e1 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5894
#2 0x410366 in json_parse_string /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5814
#3 0x410366 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5993
#4 0x413683 in json_parse_pair /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6058
#5 0x413683 in json_parse_object /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6070
#6 0x413683 in json_parse_value /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5996
#7 0x44ac53 in json_doit /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6083
#8 0x44ac53 in json_walk /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:6466
#9 0x46f3a0 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12132
#10 0x46f3a0 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#11 0x496f16 in mjs_execute /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9647
#12 0x49b9b7 in mjs_exec_internal /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9865
#13 0x40340b in mjs_exec_file /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:9888
#14 0x40340b in main /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12244
#15 0x7f96c168382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x403bb8 in _start (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x403bb8)
0x60600000eff5 is located 0 bytes to the right of 53-byte region [0x60600000efc0,0x60600000eff5)
allocated by thread T0 here:
0 0x7f96c1cc9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x46f370 in mjs_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12130
#2 0x46f370 in mjs_op_json_parse /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:12192
#3 0x46ee6f (/home/joanking/abs/MemLock/tool/target/mjs/mjs.out+0x46ee6f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834 json_get_escape_len
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[05]fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2619==ABORTING
poc3.txt
Here are 3 ERROR。
ERROR 1: ./id:000007,sig:06,src:003011,op:havoc,rep:8 mjs.out: mjs.c:10530: get_cb_impl_by_signature: Assertion `userdata_idx > 0' failed. run_crashes.sh: line 29: 2327 Aborted (core dumped) ../../../../target/mjs/mjs.out $line poc1.txt
ERROR 2 ./id:000019,sig:06,src:002654,op:havoc,rep:2 mjs.out: mjs.c:12088: frozen_cb: Assertion `ctx->frame == NULL' failed. run_crashes.sh: line 29: 2523 Aborted (core dumped) ../../../../target/mjs/mjs.out $line poc2.txt
ERROR 3 ./id:000000,sig:06,src:000006,op:havoc,rep:2
==2619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff5 at pc 0x00000040a9e2 bp 0x7fff0c2e8de0 sp 0x7fff0c2e8dd0 READ of size 1 at 0x60600000eff5 thread T0
0 0x40a9e1 in json_get_escape_len /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834
0x60600000eff5 is located 0 bytes to the right of 53-byte region [0x60600000efc0,0x60600000eff5) allocated by thread T0 here:
0 0x7f96c1cc9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/joanking/abs/MemLock/tool/target/mjs/mjs.c:5834 json_get_escape_len Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[05]fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2619==ABORTING poc3.txt