Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

illegal memcpy during njs_vmcode_typeof in /njs/src/njs_vmcode.c:1521:18 #450

Closed
anonym0us1337 opened this issue Dec 24, 2021 · 2 comments
Closed

illegal memcpy during njs_vmcode_typeof in /njs/src/njs_vmcode.c:1521:18 #450

anonym0us1337 opened this issue Dec 24, 2021 · 2 comments
Labels
bug fuzzer
Milestone
0.7.1

Comments

@anonym0us1337
Copy link

anonym0us1337 commented Dec 24, 2021
edited
Loading

Env

Version    : 0.7.0
Git Commit : 2da5d8b246b806bee6f74b575217ec3b61a25548
OS         : Ubuntu 20.04
Configure  : ./configure --address-sanitizer=YES

POC

function main() {
    const v2 = new ArrayBuffer();
    const v3 = new DataView(v2);
    const v5 = typeof v3;
}
main();

Stack Dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==466645==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe5fea5cc5b bp 0x7ffe64718cb0 sp 0x7ffe64718468 T0)
==466645==The signal is caused by a READ memory access.
==466645==Hint: address points to the zero page.
    #0 0x7fe5fea5cc5b in memcpy /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
    #1 0x495737 in __asan_memcpy (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x495737)
    #2 0x4e54bf in njs_vmcode_typeof /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:1521:18
    #3 0x4e54bf in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:594:23
    #4 0x53ae40 in njs_function_lambda_call /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_function.c:701:11
    #5 0x4e4648 in njs_vmcode_interpreter /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vmcode.c:783:23
    #6 0x4dea17 in njs_vm_start /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_vm.c:493:11
    #7 0x4c7f3d in njs_process_script /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:881:19
    #8 0x4c7375 in njs_process_file /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:615:11
    #9 0x4c7375 in main /home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/src/njs_shell.c:315:15
    #10 0x7fe5fe9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41dabd in _start (/home/anonym0us/Git/fuzzilli-njs/njs-origin/njs/build/njs+0x41dabd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142 in memcpy
==466645==ABORTING

Credit

P1umer, afang5472, Kotori of NeSE@IIE
@drsm
Copy link
Contributor

drsm commented Dec 24, 2021

Hi!
@anonym0us1337

Thank you for report.

Here is the patch:

# HG changeset patch
# User Artem S. Povalyukhin <artem.povaluhin@gmail.com>
# Date 1640329215 -10800
#      Fri Dec 24 10:00:15 2021 +0300
# Node ID 53b292346e7f63c3ea952ab08aa8619d955a8bc2
# Parent  4d4657128baffb8eb6b6958c436075387b57530f
Fixed null pointer dereference in njs_vmcode_typeof.

diff -r 4d4657128baf -r 53b292346e7f src/njs_vmcode.c
--- a/src/njs_vmcode.c  Tue Dec 21 17:42:26 2021 +0000
+++ b/src/njs_vmcode.c  Fri Dec 24 10:00:15 2021 +0300
@@ -1516,6 +1516,7 @@ njs_vmcode_typeof(njs_vm_t *vm, njs_valu
         &njs_string_object,
         &njs_string_object,
         &njs_string_object,
+        &njs_string_object,
     };
 
     vm->retval = *types[value->type];
diff -r 4d4657128baf -r 53b292346e7f src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c  Tue Dec 21 17:42:26 2021 +0000
+++ b/src/test/njs_unit_test.c  Fri Dec 24 10:00:15 2021 +0300
@@ -6390,6 +6390,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("(new DataView(new ArrayBuffer(3)))"),
       njs_str("[object DataView]") },
 
+    { njs_str("var x = new ArrayBuffer(3); [typeof x, typeof new DataView(x)]"),
+      njs_str("object,object") },
+
     { njs_str("(new DataView(new ArrayBuffer(3))).buffer"),
       njs_str("[object ArrayBuffer]") },

@xeioex xeioex added this to the 0.7.1 milestone Dec 24, 2021
@P1umer
Copy link

P1umer commented Feb 15, 2022
edited
Loading

This issue was assigned CVE-2021-46461.

@ret2ddme ret2ddme mentioned this issue Aug 25, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug fuzzer
Projects
None yet
Milestone
0.7.1
Development

No branches or pull requests
4 participants
@drsm @xeioex @P1umer @anonym0us1337