search

pcmacdon / jsish

Jsi is a small, C-embeddable javascript interpreter with tightly woven Web and DB support.
https://jsish.org/
MIT License
42 stars 9 forks source link

Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck #85

Closed hope-fly closed 2 years ago

hope-fly commented 2 years ago
Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
export CFLAGS='-fsanitize=address'
make
Test case
var JSEtest = [
  'aa',
  'gg',
  'hhh',
  'mm',
  'nn'
];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return 'sort:' + JSEtest.sort(function (str, position) {
    return JSEtest.unshift('pop:' + JSEtest.pop());
  });
});

Execution steps & Output
$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0
READ of size 1 at 0x603000007458 thread T0
    #0 0x5566730cf1c9 in jsi_ArgTypeCheck src/jsiFunc.c:207
    #1 0x556673158c49 in jsi_FuncCallSub src/jsiProto.c:263
    #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x55667343515e in jsi_evalcode src/jsiEval.c:2204
    #6 0x556673158834 in jsi_FuncCallSub src/jsiProto.c:220
    #7 0x5566730d4fec in jsi_FunctionInvoke src/jsiFunc.c:777
    #8 0x5566730d4fec in Jsi_FunctionInvoke src/jsiFunc.c:789
    #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970
    #10 0x7f067f973311  (/lib/x86_64-linux-gnu/libc.so.6+0x42311)
    #11 0x7f067f9736b5 in qsort_r (/lib/x86_64-linux-gnu/libc.so.6+0x426b5)
    #12 0x55667318a611 in jsi_ArraySortCmd src/jsiArray.c:1065
    #13 0x556673157818 in jsi_FuncCallSub src/jsiProto.c:244
    #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #17 0x55667343515e in jsi_evalcode src/jsiEval.c:2204
    #18 0x556673158834 in jsi_FuncCallSub src/jsiProto.c:220
    #19 0x5566730d4fec in jsi_FunctionInvoke src/jsiFunc.c:777
    #20 0x5566730d4fec in Jsi_FunctionInvoke src/jsiFunc.c:789
    #21 0x55667319bf64 in jsi_ArrayFindSubCmd src/jsiArray.c:576
    #22 0x55667319bf64 in jsi_ArrayEveryCmd src/jsiArray.c:663
    #23 0x556673157818 in jsi_FuncCallSub src/jsiProto.c:244
    #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #27 0x55667343515e in jsi_evalcode src/jsiEval.c:2204
    #28 0x556673439274 in jsi_evalStrFile src/jsiEval.c:2665
    #29 0x55667312866a in Jsi_Main src/jsiInterp.c:936
    #30 0x55667392d03a in jsi_main src/main.c:47
    #31 0x7f067f952bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #32 0x5566730bc969 in _start (/usr/local/bin/jsish+0xe8969)

0x603000007458 is located 8 bytes inside of 32-byte region [0x603000007450,0x603000007470)
freed by thread T0 here:
    #0 0x7f06805c17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5566730dd6cf in Jsi_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f06805c1d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55667312daa4 in Jsi_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck
Shadow bytes around the buggy address:
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
=>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd[fd]fd fd fa fa
  0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
hope-fly commented 2 years ago

This issue may be related to #74 & #80, especially the POC, but I'm not for sure. Report this issue to assist your debug.

pcmacdon commented 2 years ago

See fix for issue #86