Prevent out of boundary write on malicious input #592
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hawicz
requested changes
May 4, 2020
If the assignment of stop overflows due to idx and count being larger than SIZE_T_MAX in sum, out of boundary access could happen. It takes invalid usage of this function for this to happen, but I decided to add this check so array_list_del_idx is as safe against bad usage as the other arraylist functions.
If a linkhash with a size of zero is created, then modulo operations are prone to division by zero operations. Purely protective measure against bad usage.
hawicz
requested changes
May 6, 2020
The data structures linkhash and printbuf are limited to 2 GB in size due to a signed integer being used to track their current size. If too much data is added, then size variable can overflow, which is an undefined behaviour in C programming language. Assuming that a signed int overflow just leads to a negative value, like it happens on many sytems (Linux i686/amd64 with gcc), then printbuf is vulnerable to an out of boundary write on 64 bit systems.
|
The changes look good, thanks! |
robimarko
added a commit
to sartura/openwrt
that referenced
this pull request
May 12, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.h>
jow-
pushed a commit
to openwrt/openwrt
that referenced
this pull request
May 13, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
aiamadeus
pushed a commit
to immortalwrt/immortalwrt
that referenced
this pull request
May 13, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
jow-
pushed a commit
to openwrt/openwrt
that referenced
this pull request
May 14, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b)
3 tasks
jow-
pushed a commit
to openwrt/openwrt
that referenced
this pull request
May 17, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b)
This was referenced Jun 17, 2020
jollaman999
pushed a commit
to jollaman999/openwrt
that referenced
this pull request
Jul 10, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
lunatickochiya
pushed a commit
to lunatickochiya/lunatic-lede
that referenced
this pull request
Sep 6, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b) Conflicts: package/libs/libjson-c/Makefile
lunatickochiya
pushed a commit
to lunatickochiya/lunatic-lede
that referenced
this pull request
Sep 6, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b) Conflicts: package/libs/libjson-c/Makefile (cherry picked from commit a4c8f1d)
biliwala
pushed a commit
to biliwala/friendlywrt
that referenced
this pull request
Oct 16, 2020
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b)
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this pull request
Nov 10, 2020
Source: poky MR: 103736 Type: Integration Disposition: Merged from poky ChangeID: abe50ba1a3e14191f2418c986781c824293fa523 Description: CVE-2020-12762-*.patch: * fix a series of integer overflows adding checks in linkhash.c, printbuf.c, test4.c, test4.expected json-c/json-c#592 Signed-off-by: Milan Shah <mshah@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
ArtelMike
pushed a commit
to ArtelMike/openwrt-1
that referenced
this pull request
Jan 31, 2023
This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: json-c/json-c#592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit d071916)
apple-ouyang
added a commit
to apple-ouyang/libfastjson
that referenced
this pull request
Mar 14, 2023
reference: https://github.com/json-c/json-c/pull/592/files I reproduce this CVE using the code from json-c/json-c#592 And it fix it and no more segmentation fault
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered.
Preparation:
$ dd if=/dev/zero of=poc.json bs=1 count=1 seek=2147483647Code to exploit:
Proof of Concept:
(dd if=poc.json bs=4096; sleep 1; dd if=test.json bs=10) 2>/dev/null | ./testExplanation:
The problem manifests itself in printbuf_memappend. On properly crafted values, p->bpos + size + 1 can overflow, which leads to the assumption that p->size is still large enough. In normal circumstances, this does not happen with json_object_from_fd due to its buffer size leading to proper detection. But if the parsed buffer chunk length is not a power of 2 (sleep 1 and bs=10 triggers this in my proof of concept), this overflow can be abused by an attacker to write past the memory boundary of p->buf.
My example simply crashes the program eventually. A proper attack can be controled in a way to not crash the system but simply write a few attacker controlled bytes outside the allocated area, allowing more sophisticated attacks against real world programs.