Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack exhaustion parsing a JSON file #282

Closed
gaa-cifasis opened this issue May 1, 2016 · 7 comments
Closed

Stack exhaustion parsing a JSON file #282

gaa-cifasis opened this issue May 1, 2016 · 7 comments

Comments

@gaa-cifasis
Copy link

Hi,

A crash caused by stack exhaustion parsing a JSON was found. It affects, at least version 2.5 as well as the last git revision (and maybe others). To reproduce using jshon:

$ python -c 'print "["*100000' > test.json
$ gdb --args ./jshon -F test.json
...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e50645 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0

(gdb) bt 20
#0  0x00007ffff4e50645 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x00007ffff4e53b7d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#2  0x00007ffff4e60443 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x000000000040c422 in jsonp_malloc (size=48) at memory.c:24
#4  0x000000000040f196 in json_array () at value.c:325
#5  0x000000000040afd0 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:746
#6  0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#7  0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#8  0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#9  0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#10 0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#11 0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#12 0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#13 0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#14 0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#15 0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#16 0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#17 0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
#18 0x000000000040b4b2 in parse_value (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:830
#19 0x000000000040b064 in parse_array (lex=0x7fffffffe110, flags=0, error=0x7fffffffe2e0) at load.c:755
(More stack frames follow...)
@dev-zzo
Copy link
Contributor

dev-zzo commented May 2, 2016
edited
Loading

This is caused due to an unlimited parsing depth when parsing JSON arrays; this allows the parse_value() -> parse_array() -> parse_value() chain to grow without limit. To that end, a similar effect may be achieved via objects, using a patter of {"a": repeated 1000s, triggering the parse_value() -> parse_object() -> parse_value() chain.

@gaa-cifasis
Copy link
Author

To that end, a similar effect may be achieved via objects, using a patter of {"a": repeated 1000s, triggering the parse_value() -> parse_object() -> parse_value() chain.

Indeed. It takes a less than 100kb json file to crash the library, which is bad if you are receiving untrusted inputs. Is there any plans to limit the parsing depth?

@dev-zzo
Copy link
Contributor

dev-zzo commented May 2, 2016

I have no idea since I'm not the maintainer. I think I could throw a patch together to fix the root cause, though.

@dev-zzo
Copy link
Contributor

dev-zzo commented May 2, 2016

The fix is in pull request #283.

@akheron
Copy link
Owner

akheron commented May 3, 2016

Fixed in #284

@akheron akheron closed this as completed May 3, 2016
nmlgc added a commit to thpatch/thcrap that referenced this issue May 8, 2016
@nmlgc
Update our dependent libraries.
6a0caf5 
Including a rather critical bugfix for Jansson; see
akheron/jansson#282.
@junovitch
Copy link

Hi folks. We have reports on FreeBSD that the change in #284 causes a regression on large flat JSON files. The report is https://bugs.FreeBSD.org/209492.

Any recommendations?

@dev-zzo
Copy link
Contributor

dev-zzo commented May 14, 2016

@junovitch would be awesome if you could a) open a separate issue with b) a sample attached for testing and c) link to the exact patch applied by FreeBSD.

Mephistophiles pushed a commit to Mephistophiles/jansson that referenced this issue Nov 21, 2016
@dev-zzo @Mephistophiles
Fix for issue akheron#282
085eb41 
The fix limits recursion depths when parsing arrays and objects.
The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
within `jansson_config.h` and is set by default to 2048.

Update the RFC conformance document to note the limit; the RFC
allows limits to be set by the implementation so nothing has
actually changed w.r.t. conformance state.

Reported by Gustavo Grieco.
@akheron akheron mentioned this issue Nov 7, 2017
Closed
@Castaglia Castaglia mentioned this issue May 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@akheron @junovitch @dev-zzo @gaa-cifasis