Submeter #754495: janet-lang janet 2fabc80 Heap-based Buffer Overflowinformação

Títulojanet-lang janet 2fabc80 Heap-based Buffer Overflow
Descrição### Description We discovered a Heap-buffer-overflow vulnerability in Janet. The crash occurs in the janetc_if function during the compilation phase (specifically within janet_compile_lint). The ASAN report indicates a READ violation of size 4, occurring exactly at the boundary (0 bytes after) of a 24-byte allocated region. Vendor confirmed and fixed this vulnerability in commit [c43e066](https://github.com/janet-lang/janet/commit/c43e06672cd9dacf2122c99f362120a17c34b391). ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: Janet (janet-lang) - Vulnerability Type: CWE-125: Out-of-bounds Read - Function: janetc_if - Location: src/core/specials.c:690 - Context: The crash happens deep within the compiler stack: janet_compile_lint -> janetc_def -> dohead_destructure -> janetc_fn -> janetc_if. - Root Cause Analysis: The function janetc_if handles the if special form. The ASAN report shows: ``` 0x50300001c348 is located 0 bytes after 24-byte region READ of size 4 at 0x50300001c348 ``` The buffer size is 24 bytes. The code attempts to read a 4-byte value right after the end of this buffer. This suggests the compiler is accessing an argument or structure member for an if expression without verifying that the source tuple has sufficient length, specifically when if is nested within a function definition inside a destructuring def. ### Reproduce 1. Build janet and harness with Release optimization and ASAN enabled. <details> <summary>harness.c</summary> ``` #include "janet.h" #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <stdint.h> #include <string.h> int main(int argc, char **argv) { if (argc < 2) { return 1; } janet_init(); JanetTable *env = janet_core_env(NULL); FILE *f = fopen(argv[1], "rb"); if (!f) { janet_deinit(); return 1; } fseek(f, 0, SEEK_END); long len = ftell(f); fseek(f, 0, SEEK_SET); unsigned char *buf = (unsigned char *)malloc(len + 1); if (!buf) { fclose(f); janet_deinit(); return 1; } if (fread(buf, 1, len, f) != len) { free(buf); fclose(f); janet_deinit(); return 1; } fclose(f); buf[len] = '\0'; if (len >= 1) { Janet retval; janet_dostring(env, (const char *)buf, NULL, &retval); janet_gcroot(janet_wrap_nil()); } free(buf); janet_deinit(); return 0; } ``` </details> 2. Run with the crashing [file](https://github.com/oneafter/0123/blob/main/ja2/repro): ``` ./harness repro ``` <details> <summary>ASAN report</summary> ``` ==69066==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50300001c348 at pc 0x55c2fe90fd1e bp 0x7ffd70c215b0 sp 0x7ffd70c215a8 READ of size 4 at 0x50300001c348 thread T0 #0 0x55c2fe90fd1d in janetc_if /src/janet/src/core/specials.c:690:35 #1 0x55c2fe74b736 in janetc_value /src/janet/src/core/compile.c:822:15 #2 0x55c2fe90bd2b in janetc_fn /src/janet/src/core/specials.c:1131:13 #3 0x55c2fe74b736 in janetc_value /src/janet/src/core/compile.c:822:15 #4 0x55c2fe85cdce in dohead_destructure /src/janet/src/core/specials.c:400:21 #5 0x55c2fe905b0a in janetc_def /src/janet/src/core/specials.c:552:12 #6 0x55c2fe74b736 in janetc_value /src/janet/src/core/compile.c:822:15 #7 0x55c2fe75835e in janet_compile_lint /src/janet/src/core/compile.c:1081:5 #8 0x55c2fe8593dd in janet_compile /src/janet/src/core/compile.c:1099:12 #9 0x55c2fe8593dd in janet_dobytes /src/janet/src/core/run.c:51:39 #10 0x55c2fe6fa0f3 in main /src/janet/harness.c:44:9 #11 0x7f25475671c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #12 0x7f254756728a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #13 0x55c2fe618a94 in _start (/src/janet/harness_janet+0x54a94) (BuildId: 99073a3a75c69a7f87afa4e4c777fe183943214e) 0x50300001c348 is located 0 bytes after 24-byte region [0x50300001c330,0x50300001c348) allocated by thread T0 here: #0 0x55c2fe6b8ce0 in realloc (/src/janet/harness_janet+0xf4ce0) (BuildId: 99073a3a75c69a7f87afa4e4c777fe183943214e) #1 0x55c2fe7e5324 in janet_srealloc /src/janet/src/core/gc.c:753:38 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/janet/src/core/specials.c:690:35 in janetc_if Shadow bytes around the buggy address: 0x50300001c080: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 0x50300001c100: 00 fa fa fa 00 00 00 06 fa fa 00 00 00 fa fa fa 0x50300001c180: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 0x50300001c200: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd 0x50300001c280: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa =>0x50300001c300: fd fd fd fa fa fa 00 00 00[fa]fa fa 00 00 00 00 0x50300001c380: fa fa fd fd fd fa fa fa fa fa fa fa fa fa fa fa 0x50300001c400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50300001c480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50300001c500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50300001c580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==69066==ABORTING ``` </details>
Fonte⚠️ https://github.com/janet-lang/janet/issues/1700
Utilizador
 Oneafter (UID 92781)
Submissão09/02/2026 07h06 (há 3 meses)
Moderação09/02/2026 10h38 (4 hours later)
EstadoAceite
Entrada VulDB344981 [janet-lang janet até 1.40.1 src/core/specials.c janetc_if Divulgação de Informação]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!