From: Gottox <Gottox@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] quickjs: Fix stack overflow in CVE-2023-31922
Date: Sat, 10 Jun 2023 13:34:49 +0200 [thread overview]
Message-ID: <20230610113449.Q3tQxShdMgefFlGHUz1lu09x8EAGQMIvJMmnuZE8mqg@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-44173@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
There is an updated pull request by Gottox against master on the void-packages repository
https://github.com/Gottox/void-packages quickjs-cve-2023-31922
https://github.com/void-linux/void-packages/pull/44173
quickjs: Fix stack overflow in CVE-2023-31922
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
-
https://github.com/bellard/quickjs/issues/178
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/44173.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-quickjs-cve-2023-31922-44173.patch --]
[-- Type: text/x-diff, Size: 2312 bytes --]
From 10864c182336684c23391b8df6150d32c9dd3079 Mon Sep 17 00:00:00 2001
From: Enno Boland <gottox@voidlinux.org>
Date: Tue, 30 May 2023 18:00:45 +0200
Subject: [PATCH] quickjs: Fix stack overflow in CVE-2023-31922
---
.../patch-gh-issue-178-cve-2023-31922.patch | 42 +++++++++++++++++++
srcpkgs/quickjs/template | 2 +-
2 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch
diff --git a/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch b/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch
new file mode 100644
index 000000000000..754924c60639
--- /dev/null
+++ b/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch
@@ -0,0 +1,42 @@
+From 056459314305f666aee132565df710c42f41ec04 Mon Sep 17 00:00:00 2001
+From: Nick Vatamaniuc <vatamane@gmail.com>
+Date: Sun, 28 May 2023 01:50:46 -0400
+Subject: [PATCH] Fix stack overflow in CVE-2023-31922
+
+isArray and proxy isArray can call each other indefinitely in a mutually
+recursive loop.
+
+Add a stack overflow check in the js_proxy_isArray function before calling
+JS_isArray(ctx, s->target).
+
+With ASAN the the poc.js from issue 178:
+
+```
+./qjs ./poc.js
+InternalError: stack overflow
+ at isArray (native)
+ at <eval> (./poc.js:4)
+```
+
+Fix: https://github.com/bellard/quickjs/issues/178
+---
+ quickjs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/quickjs.c b/quickjs.c
+index 79160139..a3b0b55f 100644
+--- a/quickjs.c
++++ b/quickjs.c
+@@ -45243,6 +45243,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
+ JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
+ if (!s)
+ return FALSE;
++
++ if (js_check_stack_overflow(ctx->rt, 0)) {
++ JS_ThrowStackOverflow(ctx);
++ return -1;
++ }
++
+ if (s->is_revoked) {
+ JS_ThrowTypeErrorRevokedProxy(ctx);
+ return -1;
diff --git a/srcpkgs/quickjs/template b/srcpkgs/quickjs/template
index 7cfe6f3e7f43..562ca371bc5d 100644
--- a/srcpkgs/quickjs/template
+++ b/srcpkgs/quickjs/template
@@ -1,7 +1,7 @@
# Template file for 'quickjs'
pkgname=quickjs
version=2021.03.27
-revision=3
+revision=4
build_style=gnu-makefile
make_use_env=true
make_build_args="CONFIG_LTO="
next prev parent reply other threads:[~2023-06-10 11:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 16:01 [PR PATCH] " Gottox
2023-06-10 11:34 ` Gottox [this message]
2023-06-11 22:29 ` [PR PATCH] [Merged]: " classabbyamp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230610113449.Q3tQxShdMgefFlGHUz1lu09x8EAGQMIvJMmnuZE8mqg@z \
--to=gottox@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).