1. Summary

In the first part, we described the developer confirmation emails.
In the second part, we describe bugs and related fix information.

2. Developer confirmations

2.1 Moddable NULL pointer dereference

2.2 Mujs stack overflow

2.3 Jsish heap overflow

3. Details of fixed bugs

3.1. Jsish stack overflow

3.1.1 Vulnerability

SoFi inserts unseen method call of an object via reflection. The following code shows a test input that was generated by SoFi and triggered a stack overflow vulnerability on Jsish. SoFi inserts two statements at Line 2 and Line 3 during the semantic mutation. It is worth noting that toPrecision is not included in the initial seed corpus. The reflection mechanism could identify this method from the Number Object. Specifically, with the insertion mutation, we firstly add these two statements. Then with the expression mutation, we can change xx to ~xx. Since the default value of xx is 0. The value of its inversion is 0x7fffffff, which is too large and causes the stack overflow.

1 var num = 0;

2 var xx; /*newly added*/

3 var AkBW = num.toPrecision(~xx); /*newly added*/

3.1.2 Fix

The developer has enlarged the data structure buf where stack overflow occurs, and added a check statement prec>JSI_MAX_NUMBER_STRIN to prevent stack overflow.

3.2. Jsish heap overflow

3.2.1 Vulnerability

SoFi inserts the use of an attribute via reflection. The following code shows another test input generated by SoFi and it causes a heap overflow. The key step to trigger such bug is that SoFi added a new statement (i.e., Line 3). With the reflection, a new statement that changes the attribute of 𝑜 is generated. Specifically, the length is assigned with a signed negative number (i.e., -9007199254740091) and is treated as an big unsigned integer later. The unsigned integer multiplied by a fixed value (i.e., the unit size of the array) is used to apply a heap block. Due to the overflows caused by the multiplication, a very small heap is applied and subsequent access of the heap block will lead to heap overflow.

1 var o = [1, 2];

2 o.length = -9007199254740091; /*newly added*/

3 o.unshift(o.length);

3.2.2 Fix

The developer has updated check conditions len >= interp->maxArrayList || nsiz > interp->maxArrayList for nsiz that overflowed.

3.3. Moddable Heap Overflow

3.3.1 Vulnerability( asan output)

=================================================================

==5929==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f03c1cfe820 at pc 0x7f03c5168904 bp 0x7ffc491cb050 sp 0x7ffc491ca7f8

WRITE of size 1 at 0x7f03c1cfe820 thread T0

#0 0x7f03c5168903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)

#1 0x61c2a8 in fx_String_prototype_pad /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:923

#2 0x61c3be in fx_String_prototype_padStart /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:948

#3 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824

#4 0x503d3d in fxReviveJSON /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:622

#5 0x502cd2 in fxReviveJSON /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:588

#6 0x4fe395 in fx_JSON_parse /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsJSON.c:143

#7 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824

#8 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#9 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369

#10 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270

#11 0x7f03c480c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#12 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

0x7f03c1cfe820 is located 0 bytes to the right of 16777248-byte region [0x7f03c0cfe800,0x7f03c1cfe820)

allocated by thread T0 here:

#0 0x7f03c5174602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

#1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122

#2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377

#3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159

#4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305

#5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249

#6 0x7f03c480c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy

Shadow bytes around the buggy address:

0x0fe0f8397cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fe0f8397cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fe0f8397cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fe0f8397ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fe0f8397cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0fe0f8397d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa

0x0fe0f8397d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fe0f8397d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fe0f8397d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fe0f8397d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fe0f8397d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

==5929==ABORTING

3.3.2 Fix

3.4. Moddable Heap Overflow

3.4.1 Vulnerability( asan output)

=================================================================

==5952==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001f730 at pc 0x7fb0e59e7709 bp 0x7ffdf461acb0 sp 0x7ffdf461a458

WRITE of size 3349 at 0x61b00001f730 thread T0

#0 0x7fb0e59e7708 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x62708)

#1 0x62b200 in fxIDToString /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsSymbol.c:510

#2 0x5d5fa9 in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:2135

#3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#4 0x5fe6a4 in fxRunEval /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4279

#5 0x5f96a0 in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:3970

#6 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#7 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369

#8 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270

#9 0x7fb0e50b582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#10 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

0x61b00001f730 is located 0 bytes to the right of 1456-byte region [0x61b00001f180,0x61b00001f730)

allocated by thread T0 here:

#0 0x7fb0e5a1d79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)

#1 0x42079e in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1271

#2 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249

#3 0x7fb0e50b582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??

Shadow bytes around the buggy address:

0x0c367fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c367fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c367fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c367fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c367fffbee0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa

0x0c367fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

==5952==ABORTING

3.4.2 Fix

3.5. QuickJS heap overflow

3.5.1 Vulnerability( asan output)

==101771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000006fb6 at pc 0x0000004cca24 bp 0x7ffce2d3f790 sp 0x7ffce2d3f780

READ of size 2 at 0x603000006fb6 thread T0

#0 0x4cca23 in string_get /home/node/xQuickJS/quickjs.c:3527

#1 0x4cca23 in string_cmp /home/node/xQuickJS/quickjs.c:38525

#2 0x4cca23 in js_string_includes.lto_priv.492 /home/node/xQuickJS/quickjs.c:38687

#3 0x44f004 in js_call_c_function.lto_priv.735 /home/node/xQuickJS/quickjs.c:15485

#4 0x40ca81 in JS_CallInternal.lto_priv.279 /home/node/xQuickJS/quickjs.c:15687

#5 0x40e301 in JS_CallInternal.lto_priv.279 /home/node/xQuickJS/quickjs.c:16092

#6 0x5e1e63 in JS_CallFree.lto_priv.563 /home/node/xQuickJS/quickjs.c:18154

#7 0x5eb1ee in JS_EvalFunctionInternal.lto_priv.256 /home/node/xQuickJS/quickjs.c:32264

#8 0x5ed6ed in __JS_EvalInternal.lto_priv.559 /home/node/xQuickJS/quickjs.c:32412

#9 0x40ac06 in JS_EvalInternal /home/node/xQuickJS/quickjs.c:32430

#10 0x40ac06 in JS_Eval /home/node/xQuickJS/quickjs.c:32460

#11 0x40ac06 in eval_buf /home/node/xQuickJS/qjs.c:67

#12 0x40ac06 in eval_file /home/node/xQuickJS/qjs.c:99

#13 0x40ac06 in main /home/node/xQuickJS/qjs.c:490

#14 0x7f58037d582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#15 0x40bf28 in _start (/home/node/xQuickJS/qjs+0x40bf28)

0x603000006fb6 is located 0 bytes to the right of 22-byte region [0x603000006fa0,0x603000006fb6)

allocated by thread T0 here:

#0 0x7f5803c17602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

#1 0x43d87c in js_def_malloc /home/node/xQuickJS/quickjs.c:1567

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/node/xQuickJS/quickjs.c:3527 string_get

Shadow bytes around the buggy address:

0x0c067fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c067fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c067fff8dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c067fff8dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c067fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c067fff8df0: fa fa fa fa 00 00[06]fa fa fa 00 00 02 fa fa fa

0x0c067fff8e00: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fd

0x0c067fff8e10: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00

0x0c067fff8e20: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa

0x0c067fff8e30: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 00

0x0c067fff8e40: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

==101771==ABORTING

3.5.2 Fix

The repair code is too long, so we choose to use the developer's confirmation email to explain it.

I confirm there is a buffer overflow in String.prototype.startsWith. It will be fixed in the next release.

Best regards,

Fabrice.

Liew Darren wrote:

> the following code is causing heap-buffer-overflow exception

> function* invalidControls() {

> for (alpha = 1072; alpha <= 1103; alpha++) {

> yield String.fromCharCode(alpha);

> }

> for (let letter of invalidControls()) {

> var source = '\\c' + letter;

> char = source.startsWith(source, 100);

> }

> same code run in browser doesn't cause exception.

> details report can be found here

> https://github.com/ldarren/QuickJS/issues/10

> Thanks for your attention

> --

> Best regards,

> Darren Liew

3.6 . Jsish heap overflow

3.6.1 Vulnerability( asan output)

3.6.2 Fix

3.7. Jsish use after free

3.7.1 Vulnerability( asan output)

3.7.2 Fix

For the use after free in jsish prior to 3.2.3 use:

CVE-2020-275XX

Suggested Description:

In jsish prior to 3.2.3, when jsi_DecrRefCount calls the jsi_freeValueEntry function, it incorrectly references the heap block that has been freed by jsi_freeValueEntry (src/jsiInterp.c:643), causing a Use After Free vulnerability.

3.8. Moddable heap-buffer-overflow

3.8.1 Vulnerability( asan output)

==5944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f751f1fe820 at pc 0x7f75226c5904 bp 0x7fffc01aa870 sp 0x7fffc01aa018

WRITE of size 1048578 at 0x7f751f1fe820 thread T0

#0 0x7f75226c5903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)

#1 0x61c670 in fx_String_prototype_repeat /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:969

#2 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824

#3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#4 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369

#5 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270

#6 0x7f7521d6982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#7 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

0x7f751f1fe820 is located 0 bytes to the right of 16777248-byte region [0x7f751e1fe800,0x7f751f1fe820)

allocated by thread T0 here:

#0 0x7f75226d1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

#1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122

#2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377

#3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159

#4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305

#5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249

#6 0x7f7521d6982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy

Shadow bytes around the buggy address:

0x0fef23e37cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fef23e37cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fef23e37cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fef23e37ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fef23e37cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0fef23e37d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa

0x0fef23e37d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fef23e37d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fef23e37d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fef23e37d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fef23e37d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

==5944==ABORTING

3.8.2 Fix

3.9 . Moddable heap-buffer-overflow

3.9.1 Vulnerability( asan output)

=================================================================

==5914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f603a9fe820 at pc 0x7f603de4ebec bp 0x7ffc75e18740 sp 0x7ffc75e17ee8

WRITE of size 2147483647 at 0x7f603a9fe820 thread T0

#0 0x7f603de4ebeb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)

#1 0x49c99e in fx_ArrayBuffer /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDataView.c:431

#2 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824

#3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#4 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369

#5 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270

#6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#7 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

0x7f603a9fe820 is located 0 bytes to the right of 16777248-byte region [0x7f60399fe800,0x7f603a9fe820)

allocated by thread T0 here:

#0 0x7f603de5a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

#1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122

#2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377

#3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159

#4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305

#5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249

#6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset

Shadow bytes around the buggy address:

0x0fec87537cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fec87537cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fec87537cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fec87537ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0fec87537cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0fec87537d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa

0x0fec87537d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fec87537d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fec87537d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fec87537d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0fec87537d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

==5914==ABORTING

3.9.2 Fix

3.10 . Moddable over access

3.10.1 Vulnerability( asan output)

=================================================================

==5974==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3b90c5ec8a (pc 0x0000004cbf37 bp 0x7ffe0703b1f0 sp 0x7ffe0703b1c0 T0)

#0 0x4cbf36 in fxDebugThrow /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784

#1 0x42068e in fxThrowMessage /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1251

#2 0x655dea in fxEnvironmentGetProperty /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsType.c:1147

#3 0x5d5e64 in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:2133

#4 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708

#5 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369

#6 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270

#7 0x7f4b855bd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

#8 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784 fxDebugThrow

==5974==ABORTING

3.10.2 Fix

Google Sites

Report abuse