Skip to content

[BUG] Unsafe yyjson Functions Cause CPU tempSensor Type Confusion #2202

New issue
New issue
Closed
Closed
[BUG] Unsafe yyjson Functions Cause CPU tempSensor Type Confusion#2202
Labels
bugSomething isn't working
@s0ssh

Description

@s0ssh
s0ssh
opened on Feb 25, 2026

Read the FAQ first

  • I have checked the FAQ but the issue is not covered

Not a known issue

  • I have checked the existing issues but the issue is not covered
  • My issue is not about crashing on Fedora and KDE 6.6

Description

The fastfetch JSON parsing logic for the CPU module relies on unsafe yyjson functions that perform lots of “magic” pointer arithmetic and tricks, which leads the tempSensor key to happily accept an arbitrary address value as a string pointer instead of a valid string.

It seems to me like a type confusion, and while I've spent a long time debugging it, the yyjson code used relies on macros and heavy inlining. It’s prohibitively time-consuming to debug. The impact of this bug is very low from what I can tell, so I just don't have the time to unravel it, but it results in an arbitrary address value for the tempSensor key being loaded into memory, treated as a string pointer, and being passed to strlen, resulting in a segmentation fault.

I wrote a detailed writeup/report walkthrough here, with thorough documentation, since it was too long for a GitHub issue: https://s0s.sh/fuzzing-fastfetch-part-2/

Version used

fastfetch 2.59.0-3

Bug prevalence

Always

Regression

Not sure

Installation

Built from source

Package manager

No response

Screenshots

No response

Configuration

{
    "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
    "modules": [
        {
            "type": "cpu",
            tempSensor: 188762923383486
        },
    ]
}

Stacktrace

Reading symbols from ./fastfetch/build-debug/fastfetch...
Starting program: /home/fuzzer/Fuzzing/fastfetch/fastfetch/build-debug/fastfetch -c cur2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
                             ....
Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
warning: 76ooooo../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
No locals.ol'             .cooooooc.  ,,
#1  0x00005555555ef37d in ffStrbufSetS (strbuf=0x7fffffffd6b8, value=0xabadcafebabe <error: Cannot access memory at address 0xabadcafebabe>)
    at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/common/FFstrbuf.h:262
        __PRETTY_FUNCTION__ = "ffStrbufSetS"
#2  0x00005555555eff8a in ffParseCPUJsonObject (options=0x7fffffffd660, module=0x555555921230) at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/modules/cpu/cpu.c:139
        key = 0x555555921260         coooo.
        val = 0x555555921270        .loooo.
        idx = 1                     ;ooooc
        max = 2                    ,ooool.
#3  0x0000555555598efd in parseModuleJsonObject (type=0x55555592114c "cpu", jsonVal=0x555555921230, jsonDoc=0x0)
    at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/common/impl/jsonconfig.c:115
        optionBuf = "\000\000\000\000\000\000\000\000g\004\206UUU\000\000\000\000\000\000\000\000\000\000g\004\206UUU\000\000\000\000\000\000\003\000\000\000\234\201\213UUU\000\000\000\000\000\000\000\000\000\000g\004\206UUU\000\000\000\000\000\000\000\000\000\000g\004\206UUU\000\000\000\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000g\004\206UUU\000\000\000<P\000UU\000\000\000\000\000\000\000\000\000\000\220s\002\000\000\000\000\000\220s\002\000\000\000\000\000\000\020\000\000\000\000\000\000\001\000\000\000\005\000\000\000\000\200\002\000\000\000\000\000\000\200\002\000\000\000\000\000L\021\222UUU\000\000:}\030\000\003\000\000\000\300\342\377\377\377\177\000\000\000\020\000\000\000\000\000\000"...
        succeeded = 47
        baseInfo = 0x555555919c40 <ffCPUModuleInfo>
        modules = 0x55555591d060 <C+32>
#4  0x000055555559cf18 in printJsonConfig (data=0x7fffffffe2a0, prepare=false) at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/common/impl/jsonconfig.c:308
        ms = 0
        module = 0x555555921230
        type = 0x55555592114c "cpu"
        jsonDoc = 0x0
        root = 0x5555559211e0
        __PRETTY_FUNCTION__ = "printJsonConfig"
        modules = 0x555555921220
        succeeded = true
        thres = -1
        item = 0x555555921230
        idx = 0
        max = 1
#5  0x000055555559d6a4 in ffPrintJsonConfig (data=0x7fffffffe2a0, prepare=false) at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/common/impl/jsonconfig.c:339
        jsonDoc = 0x0
        error = 0x2 <error: Cannot access memory at address 0x2>
#6  0x000055555558d9b1 in run (data=0x7fffffffe2a0) at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/fastfetch.c:803
        useJsonConfig = true
#7  0x000055555558e3a2 in main (argc=3, argv=0x7fffffffe418) at /home/fuzzer/Fuzzing/fastfetch/fastfetch/src/fastfetch.c:898
        data = {configDoc = 0x5555559211a0, resultDoc = 0x0, structure = {allocated = 0, length = 0, chars = 0x555555860467 ""}, structureDisabled = {allocated = 0, length = 0, 
            chars = 0x555555860467 ""}, genConfigPath = {allocated = 0, length = 0, chars = 0x555555860467 ""}, docType = FF_RESULT_DOC_TYPE_DEFAULT, configLoaded = true}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions