search

cesanta / mjs

Embedded JavaScript engine for C/C++
https://mongoose-os.com
Other
1.84k stars 171 forks source link

Segmentation Fault in getprop_builtin_foreign #254

Open pip-izony opened 8 months ago

pip-izony commented 8 months ago

Environment

Ubuntu 22.04.3 LTS

Compiler

clang version 11.0.0 Target: x86_64-unknown-linux-gnu Thread model: posix

Affected Version

mjs 2.20.0

Step to reproduce

cd mjs 
git checkout b1b6eac6b1e5b830a5cb14f8f4dc690ef3162551 
export LDFLAGS="-lpthread -latomic" 
./afl-clang -DMJS_MAIN mjs.c -fno-inline -ldl -o mjs-bin -fsanitize=address -g 
./mjs-bin -f PoCfile

Contents of PoCfile

die[8888888888]

Expected behavior

Print error or warning messages handled within mjs.

Current behavior

AddressSanitizer:DEADLYSIGNAL 
================================================================= 
==203500==ERROR: AddressSanitizer: SEGV on unknown address 0x000012239818 (pc 0x000000555e16 bp 0x7ffd2723c930 sp 0x7ffd2723c860 T0) 
==203500==The signal is caused by a READ memory access. 
    #0 0x555e16 in getprop_builtin_foreign /mjs/mjs.c:8472:31 
    #1 0x55392c in getprop_builtin /mjs/mjs.c:8509:17 
    #2 0x527c8e in mjs_execute /mjs/mjs.c:8661:14 
    #3 0x523d0c in mjs_exec_internal /mjs/mjs.c:9044:5 
    #4 0x5240a7 in mjs_exec_file /mjs/mjs.c:9067:11 
    #5 0x52c77d in main /mjs/mjs.c:11406:13 
    #6 0x7f39b8195082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16 
    #7 0x41c3bd in _start (/mjs/mjs-bin+0x41c3bd) 
AddressSanitizer can not provide additional info. 
SUMMARY: AddressSanitizer: SEGV /mjs/mjs.c:8472:31 in getprop_builtin_foreign 
==203500==ABORTING

Conclusion

The bug was triggered due to an attempt to access memory locations that are restricted when the input string contains Built-in APIs. This report specifically provides information when the input string contained the substring "die" (input string: "die[8888888888]"). The presence of "die[88888888]" within the input string led to a segment fault, as it incorrectly identified an inaccessible address of the Built-in APIs as an accessible foreign pointer. Upon further testing with other Built-in APIs, it was discovered that the issue applied to all of the Built-in APIs mentioned in the README.md documentation.

I will submit a Pull Request to address this issue.

pip-izony commented 8 months ago

This issue has been assigned CVE-2023-50044