Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in jq1.7 at decNumber.c #2976

Closed
3iang opened this issue Dec 11, 2023 · 3 comments
Closed

heap-buffer-overflow in jq1.7 at decNumber.c #2976

3iang opened this issue Dec 11, 2023 · 3 comments
Labels
bug dup ieee754

Comments

@3iang
Copy link

3iang commented Dec 11, 2023

parsing a very small number can trigger a heap overflow in jq 1.7:

echo "-2645e-1141622225" | ./jq

It can be reproduced by compiled with ASan enable.

=================================================================
==60947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e0c2 at pc 0x559017f6886b bp 0x7fff75fa12c0 sp 0x7fff75fa12b8
WRITE of size 1 at 0x60300000e0c2 thread T0
    #0 0x559017f6886a in decToString /src/json/jq-1.7/src/decNumber/decNumber.c:3764:5
    #1 0x559017f61187 in decNumberToString /src/json/jq-1.7/src/decNumber/decNumber.c:449:3
    #2 0x559017e70f20 in jvp_literal_number_literal /src/json/jq-1.7/src/jv.c:653:5
    #3 0x559017e70f20 in jv_number_get_literal /src/json/jq-1.7/src/jv.c:668:12
    #4 0x559017f3a33b in jv_dump_term /src/json/jq-1.7/src/jv_print.c:231:35
    #5 0x559017f3fd9c in jv_dumpf /src/json/jq-1.7/src/jv_print.c:368:3
    #6 0x559017f3fd9c in jv_dump /src/json/jq-1.7/src/jv_print.c:372:3
    #7 0x559017e291d7 in process /src/json/jq-1.7/src/main.c:223:7
    #8 0x559017e25b5c in main /src/json/jq-1.7/src/main.c:749:15
    #9 0x7fe3c064dd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #10 0x7fe3c064de3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x559017d5b854 in _start (/src/json/temp/jq+0x63854) (BuildId: b61e752b065362e820b259d049f0cc5aafacbed5)

0x60300000e0c2 is located 0 bytes to the right of 18-byte region [0x60300000e0b0,0x60300000e0c2)
allocated by thread T0 here:
    #0 0x559017dde69e in __interceptor_malloc (/src/json/temp/jq+0xe669e) (BuildId: b61e752b065362e820b259d049f0cc5aafacbed5)
    #1 0x559017ea1f32 in jv_mem_alloc /src/json/jq-1.7/src/jv_alloc.c:141:13
    #2 0x559017f3fd9c in jv_dumpf /src/json/jq-1.7/src/jv_print.c:368:3
    #3 0x559017f3fd9c in jv_dump /src/json/jq-1.7/src/jv_print.c:372:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/json/jq-1.7/src/decNumber/decNumber.c:3764:5 in decToString
Shadow bytes around the buggy address:
  0x0c067fff9bc0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9bd0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff9be0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff9bf0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
  0x0c067fff9c00: 00 00 fa fa 00 00 05 fa fa fa 00 00 07 fa fa fa
=>0x0c067fff9c10: 00 00 00 fa fa fa 00 00[02]fa fa fa fa fa fa fa
  0x0c067fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==60947==ABORTING
@wader
Copy link
Member

wader commented Dec 11, 2023

@emanuele6 dup of GHSA-4rf8-j6pg-fhmf?

@emanuele6
Copy link
Member

yes, public dup of a security report that already had a security report dup, and was also reported by OSS-fuzz; oh well. =)

@emanuele6 emanuele6 closed this as not planned Won't fix, can't repro, duplicate, stale Dec 11, 2023
@emanuele6 emanuele6 added the bug label Dec 11, 2023
@emanuele6
Copy link
Member

We have had the fix ready for a while, it will land on the next release!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dup ieee754
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wader @emanuele6 @3iang