heap-use-after-free #40
Comments
|
@gfwilliams @LonghronShen Please check the issues. |
|
Thanks for the reports, but I don't have time to look into these right now. This is free software and hasn't been maintained in a while. If you're able to offer PRs it'd be hugely appreciated. |
I want to directly apply for cves! |
|
Running the poc I just get ./tiny-js-tests ./poc
TinyJS test runner
USAGE:
./run_tests test.js : run just one test
./run_tests : run all tests
TEST ./js/pc.js ERROR: Error Got ':' expected ';' at (line: 2, col: 13) at (line: 2, col: 11)
FAIL - symbols written to ./js/pc.js.fail.js
=================================================================
==19683==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
#1 0x564b83ec0518 in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ava/Projects/tiny-js/TinyJS.cpp:1337
#2 0x564b83eaeda4 in run_test(char const*) /home/ava/Projects/tiny-js/run_tests.cpp:221
#3 0x564b83eaf6e5 in main /home/ava/Projects/tiny-js/run_tests.cpp:260
#4 0x7fb748fb009a in __libc_start_main ../csu/libc-start.c:308
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
#1 0x564b83eb2512 in CScriptLex::match(int) /home/ava/Projects/tiny-js/TinyJS.cpp:336
#2 0x564b83ecc1cf in CTinyJS::statement(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1948
#3 0x564b83ecbc17 in CTinyJS::block(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1926
#4 0x564b83ecc261 in CTinyJS::statement(bool&) /home/ava/Projects/tiny-js/TinyJS.cpp:1951
#5 0x564b83ec00b5 in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ava/Projects/tiny-js/TinyJS.cpp:1325
#6 0x564b83eaeda4 in run_test(char const*) /home/ava/Projects/tiny-js/run_tests.cpp:221
#7 0x564b83eaf6e5 in main /home/ava/Projects/tiny-js/run_tests.cpp:260
#8 0x7fb748fb009a in __libc_start_main ../csu/libc-start.c:308
Indirect leak of 114 byte(s) in 2 object(s) allocated from:
#0 0x7fb749558d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
#1 0x7fb749407e3e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x11de3e)
SUMMARY: AddressSanitizer: 178 byte(s) leaked in 4 allocation(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enviroment
poc:
vulnerability description:
It is a use-after-free vulnerability, below is the asan output:
==20367==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c538 at pc 0x000000441587 bp 0x7fff229a1790 sp 0x7fff229a1780
READ of size 1 at 0x60600000c538 thread T0
#0 0x441586 in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1853
#1 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#2 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#3 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#4 0x442634 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#5 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#6 0x446011 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1986
#7 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#8 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#9 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#10 0x7fa9198ef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)
0x60600000c538 is located 56 bytes inside of 64-byte region [0x60600000c500,0x60600000c540)
freed by thread T0 here:
#0 0x7fa91a5d3b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864
previously allocated by thread T0 here:
#0 0x7fa91a5d3532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568
SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1853 CTinyJS::logic(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9870: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9880: 00 00 00 05 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9890: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff98a0: fd fd fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd
0x0c0c7fff98b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff98c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff98d0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff98e0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff98f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20367==ABORTING
The text was updated successfully, but these errors were encountered: