heap-use-after-free #39
Description
Enviroment
operating system: ubuntu18.04
compile:
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests poc
poc:
{
"String" : {
"indexOf" : function (search) ,
"substring" : function (lo,hi) ,
"charAt" : function (pos) ,
"charCodeAt" : function (pos) ,
"fromCharCode" : function (char) ,
"split" : function (separator)
},
"Array" : {
"contains" : function (obj) ,
"remove" : function (obj) ,
"join" : function (separator)
},
"Object" : {
"dump" : function () ,
"clone" : function ()
},
"exec" : function (jsCode) ,
"eval" : function (jsCode) ,
"trace" : function () ,
"Math" : {
"rand" : function () ,
"randInt" : function (min,max) ,
"abs" : function (a) ,
"round" : function (a) ,
"min" : function (a,b) ,
"max" : function (a,b) ,
"range" : function (x,a,b) ,
"sign" : function (a) ,
"PI" : function () ,
"toDegrees" : function (a) ,
"toRadians" : function (a) ,
"sin" : function (a) ,
"asin" : function (a) ,
"cos" : function (a) ,
"acos" : function (a) ,
"tan" : function (a) ,
"atan" : function (a) ,
"sinh" : function (a) ,
"asinh" : function (a) ,
"cosh" : function (a) ,
"acosh" : function (a) ,
"tanh" : function (a) ,
"atanh" : function (a) ,
"E" : function () ,
"log" : function (a) ,
"log10" : function (a) ,
"exp" : function (a) ,
"pow" : function (a,b) ,
"sqr" : function (a) ,
"sqrt" : function (a)
},
"charToInt" : function (ch) ,
"Integer" : {
"parseInt" : function (str) ,
"valueOf" : function (str)
},
"JSON" : {
"stringify" : function (obj,replacer)
},
"result" : 0,
"configPATH" : undefined
}
vulnerability description:
It is a use-after-free vulnerability, below is the asan output:
=================================================================
==20360==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c2f8 at pc 0x000000442829 bp 0x7ffd5e984670 sp 0x7ffd5e984660
READ of size 1 at 0x60600000c2f8 thread T0
#0 0x442828 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x4390f4 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1547
#3 0x43c366 in CTinyJS::unary(bool&) /home/node/tiny-js/TinyJS.cpp:1726
#4 0x43ca7a in CTinyJS::term(bool&) /home/node/tiny-js/TinyJS.cpp:1731
#5 0x43d482 in CTinyJS::expression(bool&) /home/node/tiny-js/TinyJS.cpp:1751
#6 0x43e8bc in CTinyJS::shift(bool&) /home/node/tiny-js/TinyJS.cpp:1786
#7 0x43f7fb in CTinyJS::condition(bool&) /home/node/tiny-js/TinyJS.cpp:1803
#8 0x4408ad in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1842
#9 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#10 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#11 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#12 0x445f32 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1944
#13 0x44c544 in CTinyJS::block(bool&) /home/node/tiny-js/TinyJS.cpp:1923
#14 0x446ad6 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1948
#15 0x44629f in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1994
#16 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#17 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#18 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#19 0x7f958a38482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#20 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)
0x60600000c2f8 is located 56 bytes inside of 64-byte region [0x60600000c2c0,0x60600000c300)
freed by thread T0 here:
#0 0x7f958b068b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864
previously allocated by thread T0 here:
#0 0x7f958b068532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568
SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1876 CTinyJS::ternary(bool&)