quickjs-ng quickjs Use-After-Free Vulnerability in Atomics Operations

A use-after-free vulnerability has been identified in quickjs-ng quickjs versions through 0.11.0. The issue arises in the Atomics Ops Handler within the file quickjs.c. The vulnerability allows for heap memory to be accessed after it has been freed, which can lead to memory corruption or arbitrary code execution. This vulnerability can be exploited remotely, and the exploit is publicly available.

Impact

Exploitation of this vulnerability causes a heap use-after-free condition, which can lead to memory corruption, the potential execution of arbitrary code, and crashes.

Reproduction

The vulnerability can be reproduced by calling an Atomics operation, such as Atomics.store or Atomics.add, with a value that triggers a resize of the underlying ArrayBuffer. This can be done by using an object with a custom valueOf method that resizes the buffer when accessed. The use-after-free condition can be verified by compiling quickjs with AddressSanitizer enabled, which will report the memory corruption error.

Remediation

Users are advised to update to the patched version of quickjs-ng quickjs, which is available on the project's GitHub repository.