I discovered a vulnerability that could potentially lead to function pointer hijacking. I believe this is a logical vulnerability since it does not trigger any out-of-bounds (OOB) or use-after-free (UAF) assertions when compiled with AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted input to the affected program, leading to the execution of arbitrary code.
The function hijack happend in mjs.c:8824
call_stack_push_frame(mjs, bp.start_idx + i, retval_stack_idx);
/* Perform the cfunction call */
((void (*) (struct mjs *)) mjs_get_ptr(mjs, *func))(mjs);
call_stack_restore_frame(mjs);
Function Pointer Hijack mjs/mjs.c in mjs_execute
Affected Projects
mjs 2.20.0 (https://github.com/cesanta/mjs)
Problem Type
CWE-822 (Untrusted Pointer Dereference)
Description
I discovered a vulnerability that could potentially lead to function pointer hijacking. I believe this is a logical vulnerability since it does not trigger any out-of-bounds (OOB) or use-after-free (UAF) assertions when compiled with AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted input to the affected program, leading to the execution of arbitrary code.
The function hijack happend in mjs.c:8824
PoC:
Log: