mjs
mjs copied to clipboard
cesanta
heap-buffer-overflow in function mjs_execute (at mjs.c:8531)
I found a heap buffer overflow while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04.
Download the PoC: mjs_heap-buffer-overflow_mjs8531.zip
ASAN Report
==346708==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000000c0 at pc 0x0000004e0bee bp 0x7fff3f6c0410 sp 0x7fff3f6c0408
READ of size 8 at 0x6040000000c0 thread T0
#0 0x4e0bed in mjs_execute /data/song/projects/latest-programs/mjs/BUILD/mjs.c:8531:38
#1 0xc2a00000013 (<unknown module>)
0x6040000000c0 is located 0 bytes to the right of 48-byte region [0x604000000090,0x6040000000c0)
allocated by thread T0 here:
#0 0x49a529 in realloc (/data/song/projects/latest-programs/mjs/mjs-bin+0x49a529)
#1 0x4cc463 in mbuf_insert /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4095:18
#2 0x4cc686 in mbuf_append /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4118:10
#3 0x4dc92c in push_mjs_val /data/song/projects/latest-programs/mjs/BUILD/mjs.c:7868:3
#4 0x4de4d5 in call_stack_push_frame /data/song/projects/latest-programs/mjs/BUILD/mjs.c:8015:3
#5 0x4e077c in mjs_execute /data/song/projects/latest-programs/mjs/BUILD/mjs.c:8821:11
#6 0x4dd8ee in mjs_exec_internal /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9044:5
#7 0x4ddaeb in mjs_exec_file /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9067:11
#8 0x4e1df7 in main /data/song/projects/latest-programs/mjs/BUILD/mjs.c:11406:13
#9 0x7f5f76dfcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Steps to reproduce
git clone https://github.com/cesanta/mjs.git
cd mjs
clang -g -O1 -fsanitize=address -fno-omit-frame-pointer -Wno-error -DMJS_MAIN mjs.c -dl -o mjs_asan
./mjs_asan -f PoC
