Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free #40

Open
bird8693 opened this issue Apr 17, 2020 · 5 comments
Open

heap-use-after-free #40

bird8693 opened this issue Apr 17, 2020 · 5 comments

Comments

@bird8693
Copy link

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

{ 
  "String" : { 
    "indexOf" : function (search) ,
    "substring" : function (lo,hi) ,
    "charAt" : function (pos) ,
    "charCodeAt" : function (pos) ,
    "fromCharCode" : function (char) ,
    "split" : function (separator) 
  },
  "Array" : { 
    "contains" : function (obj) ,
    "remove" : function (obj) ,
    "join" : function (separator) 
  },
  "Object" : { 
    "dump" : function () ,
    "clone" : function () 
  },
  "exec" : function (jsCode) ,
  "eval" : function (jsCode) ,
  "trace" : function () ,
  "Math" : { 
    "rand" : function () ,
    "randInt" : function (min,max) ,
    "abs" : function (a) ,
    "round" : function (a) ,
    "min" : function (a,b) ,
    "max" : function (a,b) ,
    "range" : function (x,a,b) ,
    "sign" : function (a) ,
    "PI" : function () ,
    "toDegrees" : function (a) ,
    "toRadians" : function (a) ,
    "sin" : function (a) ,
    "asin" : function (a) ,
    "cos" : function (a) ,
    "acos" : function (a) ,
    "tan" : function (a) ,
    "atan" : function (a) ,
    "sinh" : function (a) ,
    "asinh" : function (a) ,
    "cosh" : function (a) ,
    "acosh" : function (a) ,
    "tanh" : function (a) ,
    "atanh" : function (a) ,
    "E" : function () ,
    "log" : function (a) ,
    "log10" : function (a) ,
    "exp" : function (a) ,
    "pow" : function (a,b) ,
    "sqr" : function (a) ,
    "sqrt" : function (a) 
  },
  "charToInt" : function (ch) ,
  "Integer" : { 
    "parseInt" : function (str) ,
    "valueOf" : function (str) 
  },
  "JSON" : { 
    "stringify" : function (obj,replacer) 
  },
  "result" : 0,
  "configPATH" : undefined
}

vulnerability description:

It is a use-after-free vulnerability, below is the asan output:

==20367==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c538 at pc 0x000000441587 bp 0x7fff229a1790 sp 0x7fff229a1780
READ of size 1 at 0x60600000c538 thread T0
#0 0x441586 in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1853
#1 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#2 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#3 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#4 0x442634 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#5 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#6 0x446011 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1986
#7 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#8 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#9 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#10 0x7fa9198ef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x60600000c538 is located 56 bytes inside of 64-byte region [0x60600000c500,0x60600000c540)
freed by thread T0 here:
#0 0x7fa91a5d3b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7fa91a5d3532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1853 CTinyJS::logic(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9870: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9880: 00 00 00 05 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9890: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff98a0: fd fd fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd
0x0c0c7fff98b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff98c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff98d0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff98e0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff98f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20367==ABORTING

@bird8693
Copy link
Author

@gfwilliams @LonghronShen Please check the issues.

@bird8693
Copy link
Author

@gfwilliams

@gfwilliams
Copy link
Owner

Thanks for the reports, but I don't have time to look into these right now. This is free software and hasn't been maintained in a while. If you're able to offer PRs it'd be hugely appreciated.

@bird8693
Copy link
Author

Thanks for the reports, but I don't have time to look into these right now. This is free software and hasn't been maintained in a while. If you're able to offer PRs it'd be hugely appreciated.

I want to directly apply for cves!

@sSt3lla
Copy link

sSt3lla commented Dec 6, 2021

Running the poc I just get

./tiny-js-tests ./poc
TinyJS test runner
USAGE:
   ./run_tests test.js       : run just one test
   ./run_tests               : run all tests
TEST ./js/pc.js ERROR: Error Got ':' expected ';' at (line: 2, col: 13) at (line: 2, col: 11)
FAIL - symbols written to ./js/pc.js.fail.js

=================================================================
==19683==ERROR: LeakSanitizer: detected memory leaks
                                                                                                                                                                                                                  
Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)                                                                                                                 
    #1 0x564b83ec0518 in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ava/Projects/tiny-js/TinyJS.cpp:1337
    #2 0x564b83eaeda4 in run_test(char const*) /home/ava/Projects/tiny-js/run_tests.cpp:221
    #3 0x564b83eaf6e5 in main /home/ava/Projects/tiny-js/run_tests.cpp:260
    #4 0x7fb748fb009a in __libc_start_main ../csu/libc-start.c:308

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)                                                                                                                 
    #1 0x564b83eb2512 in CScriptLex::match(int) /home/ava/Projects/tiny-js/TinyJS.cpp:336
    #2 0x564b83ecc1cf in CTinyJS::statement(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1948
    #3 0x564b83ecbc17 in CTinyJS::block(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1926
    #4 0x564b83ecc261 in CTinyJS::statement(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1951
    #5 0x564b83ec00b5 in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ava/Projects/tiny-js/TinyJS.cpp:1325
    #6 0x564b83eaeda4 in run_test(char const*) /home/ava/Projects/tiny-js/run_tests.cpp:221
    #7 0x564b83eaf6e5 in main /home/ava/Projects/tiny-js/run_tests.cpp:260
    #8 0x7fb748fb009a in __libc_start_main ../csu/libc-start.c:308

Indirect leak of 114 byte(s) in 2 object(s) allocated from:
    #0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)                                                                                                                 
    #1 0x7fb749407e3e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x11de3e)

SUMMARY: AddressSanitizer: 178 byte(s) leaked in 4 allocation(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants