You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
operating system: ubuntu18.04
compile:
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests poc
poc:
{
"String" : {
"indexOf" : function (search) ,
"substring" : function (lo,hi) ,
"charAt" : function (pos) ,
"charCodeAt" : function (pos) ,
"fromCharCode" : function (char) ,
"split" : function (separator)
},
"Array" : {
"contains" : function (obj) ,
"remove" : function (obj) ,
"join" : function (separator)
},
"Object" : {
"dump" : function () ,
"clone" : function ()
},
"exec" : function (jsCode) ,
"eval" : function (jsCode) ,
"trace" : function () ,
"Math" : {
"rand" : function () ,
"randInt" : function (min,max) ,
"abs" : function (a) ,
"round" : function (a) ,
"min" : function (a,b) ,
"max" : function (a,b) ,
"range" : function (x,a,b) ,
"sign" : function (a) ,
"PI" : function () ,
"toDegrees" : function (a) ,
"toRadians" : function (a) ,
"sin" : function (a) ,
"asin" : function (a) ,
"cos" : function (a) ,
"acos" : function (a) ,
"tan" : function (a) ,
"atan" : function (a) ,
"sinh" : function (a) ,
"asinh" : function (a) ,
"cosh" : function (a) ,
"acosh" : function (a) ,
"tanh" : function (a) ,
"atanh" : function (a) ,
"E" : function () ,
"log" : function (a) ,
"log10" : function (a) ,
"exp" : function (a) ,
"pow" : function (a,b) ,
"sqr" : function (a) ,
"sqrt" : function (a)
},
"charToInt" : function (ch) ,
"Integer" : {
"parseInt" : function (str) ,
"valueOf" : function (str)
},
"JSON" : {
"stringify" : function (obj,replacer)
},
"result" : 0,
"configPATH" : undefined
}
vulnerability description:
It is a use-after-free vulnerability, below is the asan output:
=================================================================
==20360==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c2f8 at pc 0x000000442829 bp 0x7ffd5e984670 sp 0x7ffd5e984660
READ of size 1 at 0x60600000c2f8 thread T0
#0 0x442828 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876 #1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887 #2 0x4390f4 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1547 #3 0x43c366 in CTinyJS::unary(bool&) /home/node/tiny-js/TinyJS.cpp:1726 #4 0x43ca7a in CTinyJS::term(bool&) /home/node/tiny-js/TinyJS.cpp:1731 #5 0x43d482 in CTinyJS::expression(bool&) /home/node/tiny-js/TinyJS.cpp:1751 #6 0x43e8bc in CTinyJS::shift(bool&) /home/node/tiny-js/TinyJS.cpp:1786 #7 0x43f7fb in CTinyJS::condition(bool&) /home/node/tiny-js/TinyJS.cpp:1803 #8 0x4408ad in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1842 #9 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859 #10 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887 #11 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902 #12 0x445f32 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1944 #13 0x44c544 in CTinyJS::block(bool&) /home/node/tiny-js/TinyJS.cpp:1923 #14 0x446ad6 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1948 #15 0x44629f in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1994 #16 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322 #17 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219 #18 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258 #19 0x7f958a38482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #20 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)
0x60600000c2f8 is located 56 bytes inside of 64-byte region [0x60600000c2c0,0x60600000c300)
freed by thread T0 here:
#0 0x7f958b068b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a) #1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864
previously allocated by thread T0 here:
#0 0x7f958b068532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532) #1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568
Enviroment
poc:
vulnerability description:
It is a use-after-free vulnerability, below is the asan output:
=================================================================
==20360==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c2f8 at pc 0x000000442829 bp 0x7ffd5e984670 sp 0x7ffd5e984660
READ of size 1 at 0x60600000c2f8 thread T0
#0 0x442828 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x4390f4 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1547
#3 0x43c366 in CTinyJS::unary(bool&) /home/node/tiny-js/TinyJS.cpp:1726
#4 0x43ca7a in CTinyJS::term(bool&) /home/node/tiny-js/TinyJS.cpp:1731
#5 0x43d482 in CTinyJS::expression(bool&) /home/node/tiny-js/TinyJS.cpp:1751
#6 0x43e8bc in CTinyJS::shift(bool&) /home/node/tiny-js/TinyJS.cpp:1786
#7 0x43f7fb in CTinyJS::condition(bool&) /home/node/tiny-js/TinyJS.cpp:1803
#8 0x4408ad in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1842
#9 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#10 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#11 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#12 0x445f32 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1944
#13 0x44c544 in CTinyJS::block(bool&) /home/node/tiny-js/TinyJS.cpp:1923
#14 0x446ad6 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1948
#15 0x44629f in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1994
#16 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#17 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#18 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#19 0x7f958a38482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#20 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)
0x60600000c2f8 is located 56 bytes inside of 64-byte region [0x60600000c2c0,0x60600000c300)
freed by thread T0 here:
#0 0x7f958b068b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864
previously allocated by thread T0 here:
#0 0x7f958b068532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568
SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1876 CTinyJS::ternary(bool&)
The text was updated successfully, but these errors were encountered: