Headline
CVE-2022-29379: [Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader · Issue #493 · nginx/njs
Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c.
Description
njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs_default_module_loader
(/src/njs/src/njs_module.c)
ENV
- Version : 0.7.3
- Commit : 222d6fd
- OS : Ubuntu 18.04
- Configure : CC=clang-14 ./configure --address-sanitizer=YES
BT
root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 
=================================================================
==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8
WRITE of size 21313 at 0x7ffe0b253e41 thread T0
    #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18
    #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11
    #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11
    #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14
    #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24
    #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23
    #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11
    #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11
    #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11
    #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15
    #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d)
Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame
    #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363
  This frame has 6 object(s):
    [32, 4129) 'src.i' (line 115)
    [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable
    [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable
    [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable
    [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable
    [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
  0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22820==ABORTING
Fixed
The issue was fixed in ab1702c.
FYI, the problem was committed in 2ff8b26 which was not released yet.
Reference
https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/