Segmentation Fault in getprop_builtin_foreign
pip-izony opened this issue · 1 comments
Environment
Ubuntu 22.04.3 LTS
Compiler
clang version 11.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix
Affected Version
mjs 2.20.0
Step to reproduce
cd mjs
git checkout b1b6eac6b1e5b830a5cb14f8f4dc690ef3162551
export LDFLAGS="-lpthread -latomic"
./afl-clang -DMJS_MAIN mjs.c -fno-inline -ldl -o mjs-bin -fsanitize=address -g
./mjs-bin -f PoCfile
Contents of PoCfile
die[8888888888]
Expected behavior
Print error or warning messages handled within mjs.
Current behavior
AddressSanitizer:DEADLYSIGNAL
=================================================================
==203500==ERROR: AddressSanitizer: SEGV on unknown address 0x000012239818 (pc 0x000000555e16 bp 0x7ffd2723c930 sp 0x7ffd2723c860 T0)
==203500==The signal is caused by a READ memory access.
#0 0x555e16 in getprop_builtin_foreign /mjs/mjs.c:8472:31
#1 0x55392c in getprop_builtin /mjs/mjs.c:8509:17
#2 0x527c8e in mjs_execute /mjs/mjs.c:8661:14
#3 0x523d0c in mjs_exec_internal /mjs/mjs.c:9044:5
#4 0x5240a7 in mjs_exec_file /mjs/mjs.c:9067:11
#5 0x52c77d in main /mjs/mjs.c:11406:13
#6 0x7f39b8195082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c3bd in _start (/mjs/mjs-bin+0x41c3bd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mjs/mjs.c:8472:31 in getprop_builtin_foreign
==203500==ABORTING
Conclusion
The bug was triggered due to an attempt to access memory locations that are restricted when the input string contains Built-in APIs.
This report specifically provides information when the input string contained the substring "die" (input string: "die[8888888888]"). The presence of "die[88888888]" within the input string led to a segment fault, as it incorrectly identified an inaccessible address of the Built-in APIs as an accessible foreign pointer. Upon further testing with other Built-in APIs, it was discovered that the issue applied to all of the Built-in APIs mentioned in the README.md documentation.
I will submit a Pull Request to address this issue.
This issue has been assigned CVE-2023-50044