Bug 697172 (CVE-2016-9294) - mujs node Null ptr dereference in jscompile.c
Summary: mujs node Null ptr dereference in jscompile.c
Alias: CVE-2016-9294
Product: MuJS
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P4 normal
Assignee: Tor Andersson
Depends on:
Reported: 2016-09-29 20:42 UTC by Shi Ji
Modified: 2016-11-11 17:44 UTC (History)
1 user (show)

See Also:
Word Size: ---

poc and stack trace (1.01 KB, application/zip)
2016-09-29 20:42 UTC, Shi Ji

Note You need to log in before you can comment on or make changes to this bug.
Description Shi Ji 2016-09-29 20:42:11 UTC
Created attachment 12977 [details]
poc and stack trace

# Vulnerability
mujs node Null ptr dereference in jscompile.c

# Version
git head version

# Address Sanitizer Output
==14904== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0807aac5 sp 0xbffff130 bp 0xbffff158 T0)
AddressSanitizer can not provide additional info.
    #0 0x807aac4 in cexit /home/puzzor/puzzor/mujs/jscompile.c:798
    #1 0x807cab4 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1113
    #2 0x807c7c2 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1094
    #3 0x807d30a in cstmlist /home/puzzor/puzzor/mujs/jscompile.c:1185
    #4 0x807e364 in cfunbody /home/puzzor/puzzor/mujs/jscompile.c:1304
    #5 0x80753d3 in newfun /home/puzzor/puzzor/mujs/jscompile.c:48
    #6 0x807e4ed in jsC_compile /home/puzzor/puzzor/mujs/jscompile.c:1320
    #7 0x805efc0 in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:56
    #8 0x805f114 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70
    #9 0x805f371 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121
    #10 0x805f4d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150
    #11 0x8049fbb in main /home/puzzor/puzzor/mujs/main.c:175
    #12 0xb6804a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #13 0x8049560 in _start (/home/puzzor/puzzor/mujs/build/mujs+0x8049560)
SUMMARY: AddressSanitizer: SEGV /home/puzzor/puzzor/mujs/jscompile.c:798 cexit
==14904== ABORTING

# PoC
See poc

# Analysis
In cexit function, a "node" may have no parent, which may lead to a null ptr dereference. Try to check whether node->parent is null before reference it.

# Report Timeline
2016.09.30: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor) of VARAS@IIE

# Repro
build with asan, run the poc with ./mujs poc
Comment 1 Shi Ji 2016-11-06 23:22:19 UTC
Any updates for this bug?
Comment 2 Tor Andersson 2016-11-07 04:37:18 UTC
Fixed in commit 5008105780c0b0182ea6eda83ad5598f225be3ee
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Wed Oct 26 14:31:53 2016 +0200

    Fix 697172: degenerate labeled break/continue statement.
    A labeled break statement will look for a matching label through
    its chain of parent statements. We start looking at the break statement
    though, so if the label is attached to the break, we'll return the break
    statement itself as a break target.
    Start looking for targets one level up instead.