Fix stack overflow in CVE-2023-31922 #157
Conversation
|
Thanks for the PR. Would it be possible to add a regression test to e.g. tests/test_builtin.js? If you push the test first, we can do a before/after check; there are ASAN buildbots in the CI matrix. |
|
@bnoordhuis thanks for taking a look! I had added the test from the original issue bellard/quickjs#178. However it was still not working as expected. It turns out stack checking was disabled on this fork when using ASAN. I tried to re-enable it as an experiment so with |
|
#161 - let's see if it's possible to get the stack checks working under asan |
|
@nickva can you rebase on top of master? |
|
Will do, thanks, @bnoordhuis! |
nickva
force-pushed
the
fix-stack-overflow-cve-2023-31922
branch
from
1541e70 to
89dd2c2
Compare
|
@bnoordhuis Thank you for enabling ASAN stack checking. I rebased on master and updated the test to try to account for the fact that without ASAN To validate it, I commented out the fix from With the fix, it passed the test. |
Don't merge this is only the test from PR quickjs-ng#157
|
I created a separate test PR which just has the test so we can see what it would do with the tests: #165 |
isArray and proxy isArray can call each other indefinitely in a mutually recursive loop. Add a stack overflow check in the js_proxy_isArray function before calling `JS_isArray(ctx, s->target)`. Original issue: bellard/quickjs#178 CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-31922
nickva
force-pushed
the
fix-stack-overflow-cve-2023-31922
branch
from
89dd2c2 to
2425b54
Compare
|
Cheers! |
|
@bnoordhuis, @saghul thanks for starting and maintaining quickjs-ng! |
isArrayand proxyisArraycan call each other indefinitely in a mutually recursive loop.Add a stack overflow check in the
js_proxy_isArrayfunction before callingJS_isArray(ctx, s->target).Original issue: bellard/quickjs#178
CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-31922