mjs
mjs copied to clipboard
cesanta
stack-use-after-scope in function mg_avprintf (at mjs.c:4697)
I found a stack-use-after-scope bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04.
Download the PoC: mjs_stack-use-after-scope_mjs4697.zip
ASAN Report
==1710788==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe3fe2ab40 at pc 0x00000043d118 bp 0x7ffe3fe29db0 sp 0x7ffe3fe29530
READ of size 2 at 0x7ffe3fe2ab40 thread T0
#0 0x43d117 in printf_common(void*, char const*, __va_list_tag*) (/data/song/projects/latest-programs/mjs/mjs-bin+0x43d117)
#1 0x4ced1d in mg_avprintf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4697:9
#2 0x4cebc4 in mg_asprintf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4686:9
#3 0x4dcdaf in mjs_prepend_errorf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:7649:5
#4 0x4db7f9 in mjs_mkstr /data/song/projects/latest-programs/mjs/BUILD/mjs.c
#5 0x4dd8ee in mjs_exec_internal /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9044:5
#6 0x4ddaeb in mjs_exec_file /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9067:11
#7 0x4e1df7 in main /data/song/projects/latest-programs/mjs/BUILD/mjs.c:11406:13
#8 0x7f55fa79cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x7f55fa79ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#10 0x41f344 in _start (/data/song/projects/latest-programs/mjs/mjs-bin+0x41f344)
Address 0x7ffe3fe2ab40 is located in stack of thread T0 at offset 160 in frame
#0 0x4df2ff in mjs_execute /data/song/projects/latest-programs/mjs/BUILD/mjs.c:8521
This frame has 13 object(s):
[32, 36) 'llen' (line 8591)
[48, 52) 'llen51' (line 8600)
[64, 68) 'llen61' (line 8605)
[80, 84) 'llen77' (line 8619)
[96, 100) 'llen94' (line 8627)
[112, 120) 'val138' (line 8659)
[144, 148) 'llen183' (line 8700)
[160, 164) 'llen198' (line 8706) <== Memory access at offset 160 is inside this variable
[176, 180) 'llen208' (line 8713)
[192, 196) 'llen1' (line 8833)
[208, 212) 'llen2' (line 8833)
[224, 228) 'l1' (line 8879)
[240, 244) 'l2' (line 8879)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (/data/song/projects/latest-programs/mjs/mjs-bin+0x43d117) in printf_common(void*, char const*, __va_list_tag*)
Steps to reproduce
git clone https://github.com/cesanta/mjs.git
cd mjs
clang -g -O1 -fsanitize=address -fno-omit-frame-pointer -Wno-error -DMJS_MAIN mjs.c -dl -o mjs_asan
./mjs_asan -f PoC
