Bug 697172 (CVE-2016-9294)

Summary: mujs node Null ptr dereference in jscompile.c
Product: MuJS Reporter: Shi Ji <puzzorsj>
Component: generalAssignee: Tor Andersson <tor.andersson>
Status: RESOLVED FIXED    
Severity: normal CC: tor.andersson
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Windows NT   
Customer: Word Size: ---
Attachments: poc and stack trace

Description Shi Ji 2016-09-29 20:42:11 UTC
Created attachment 12977 [details]
poc and stack trace

# Vulnerability
mujs node Null ptr dereference in jscompile.c

# Version
git head version

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==14904== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0807aac5 sp 0xbffff130 bp 0xbffff158 T0)
AddressSanitizer can not provide additional info.
    #0 0x807aac4 in cexit /home/puzzor/puzzor/mujs/jscompile.c:798
    #1 0x807cab4 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1113
    #2 0x807c7c2 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1094
    #3 0x807d30a in cstmlist /home/puzzor/puzzor/mujs/jscompile.c:1185
    #4 0x807e364 in cfunbody /home/puzzor/puzzor/mujs/jscompile.c:1304
    #5 0x80753d3 in newfun /home/puzzor/puzzor/mujs/jscompile.c:48
    #6 0x807e4ed in jsC_compile /home/puzzor/puzzor/mujs/jscompile.c:1320
    #7 0x805efc0 in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:56
    #8 0x805f114 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70
    #9 0x805f371 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121
    #10 0x805f4d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150
    #11 0x8049fbb in main /home/puzzor/puzzor/mujs/main.c:175
    #12 0xb6804a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #13 0x8049560 in _start (/home/puzzor/puzzor/mujs/build/mujs+0x8049560)
SUMMARY: AddressSanitizer: SEGV /home/puzzor/puzzor/mujs/jscompile.c:798 cexit
==14904== ABORTING



# PoC
See poc

# Analysis
In cexit function, a "node" may have no parent, which may lead to a null ptr dereference. Try to check whether node->parent is null before reference it.



# Report Timeline
2016.09.30: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor) of VARAS@IIE

# Repro
build with asan, run the poc with ./mujs poc
Comment 1 Shi Ji 2016-11-06 23:22:19 UTC
Any updates for this bug?
Comment 2 Tor Andersson 2016-11-07 04:37:18 UTC
Fixed in commit 5008105780c0b0182ea6eda83ad5598f225be3ee
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Wed Oct 26 14:31:53 2016 +0200

    Fix 697172: degenerate labeled break/continue statement.
    
    A labeled break statement will look for a matching label through
    its chain of parent statements. We start looking at the break statement
    though, so if the label is attached to the break, we'll return the break
    statement itself as a break target.
    
    Start looking for targets one level up instead.