BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON

```
[Environment] ASAN_OPTIONS=check_malloc_usable_size=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_sigfpe=2:print_scariness=1:print_summary=1
	+----------------------------------------Release Build Stacktrace----------------------------------------+
	Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/BasicJsonParserFuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-4154e426ab90e9d738789e3074a020dd471ab3b6
	Time ran: 64.91553115844727
	
	OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
	OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
	INFO: Loaded 118 hooks from com.code_intelligence.jazzer.runtime.TraceCmpHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.TraceDivHooks
	INFO: Loaded 2 hooks from com.code_intelligence.jazzer.runtime.TraceIndirHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.NativeLibHooks
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
	INFO: Loaded 3 hooks from com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection
	INFO: Loaded 70 hooks from com.code_intelligence.jazzer.sanitizers.LdapInjection
	INFO: Loaded 46 hooks from com.code_intelligence.jazzer.sanitizers.NamingContextLookup
	INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.OsCommandInjection
	INFO: Loaded 68 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.RegexInjection
	INFO: Loaded 16 hooks from com.code_intelligence.jazzer.sanitizers.RegexRoadblocks
	INFO: Loaded 19 hooks from com.code_intelligence.jazzer.sanitizers.SqlInjection
	INFO: Instrumented java.util.regex.Pattern$BnM with custom hooks only (took 18 ms, size +20%)
	INFO: Instrumented java.util.regex.Pattern$BackRef with custom hooks only (took 5 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Branch with custom hooks only (took 10 ms, size +27%)
	INFO: Instrumented java.util.regex.Pattern$BranchConn with custom hooks only (took 2 ms, size +56%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharPropertyGreedy with custom hooks only (took 2 ms, size +31%)
	INFO: Instrumented java.util.regex.Pattern$GroupCurly with custom hooks only (took 8 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Ques with custom hooks only (took 4 ms, size +78%)
	INFO: Instrumented java.util.regex.Pattern$Curly with custom hooks only (took 6 ms, size +50%)
	INFO: Instrumented java.util.regex.Matcher with custom hooks only (took 33 ms, size +4%)
	INFO: Instrumented java.util.regex.Pattern$StartS with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$Start with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$First with custom hooks only (took 2 ms, size +52%)
	INFO: Instrumented java.util.regex.Pattern$Slice with custom hooks only (took 1 ms, size +44%)
	INFO: Instrumented java.util.regex.Pattern$CharPropertyGreedy with custom hooks only (took 2 ms, size +22%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharProperty with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$CharProperty with custom hooks only (took 3 ms, size +33%)
	INFO: Instrumented java.util.regex.Pattern$GroupHead with custom hooks only (took 1 ms, size +49%)
	INFO: Instrumented java.util.regex.Pattern with custom hooks only (took 58 ms, size +2%)
	INFO: Instrumented BasicJsonParserFuzzer (took 15 ms, size +14%)
	INFO: Instrumented org.springframework.boot.json.JsonParseException (took 2 ms, size +16%)
	INFO: libFuzzer ignores flags that start with '--'
	INFO: Running with entropic power schedule (0xFF, 100).
	INFO: Seed: 1965438993
	INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x7f339bcfb010, 0x7f339bcfb210),
	INFO: Loaded 1 PC tables (512 PCs): 512 [0x1d67190,0x1d69190),
	/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/jazzer_driver: Running 1 inputs 100 time(s) each.
	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-4154e426ab90e9d738789e3074a020dd471ab3b6
	INFO: Instrumented org.springframework.boot.json.BasicJsonParser (took 16 ms, size +25%)
	INFO: Instrumented org.springframework.boot.json.AbstractJsonParser (took 5 ms, size +19%)
	INFO: Instrumented org.springframework.boot.json.JsonParser (took 0 ms, size +0%)
	ALARM: working on the last Unit for 61 seconds
	       and the timeout value is 60 (use -timeout=N to change)
	==10088== ERROR: libFuzzer: timeout after 61 seconds
	
	Stack traces of all JVM threads:
	
	Thread[Finalizer,8,system]
	 at java.base@17.0.3/java.lang.Object.wait(Native Method)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:176)
	 at java.base@17.0.3/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:172)
	
	Thread[Notification Thread,9,system]
	
	Thread[Signal Dispatcher,9,system]
	
	Thread[Reference Handler,10,system]
	 at java.base@17.0.3/java.lang.ref.Reference.waitForReferencePendingList(Native Method)
	 at java.base@17.0.3/java.lang.ref.Reference.processPendingReferences(Reference.java:253)
	 at java.base@17.0.3/java.lang.ref.Reference$ReferenceHandler.run(Reference.java:215)
	
	Thread[main,5,main]
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceCmpInt(Native Method)
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceCmpInt(TraceDataFlowNativeCallbacks.java:47)
	 at app//org.springframework.boot.json.BasicJsonParser.tokenize(BasicJsonParser.java:118)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:53)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)

(...)

at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser$$Lambda$59/0x0000000800c84228.apply(Unknown Source)
	 at app//org.springframework.boot.json.AbstractJsonParser.trimParse(AbstractJsonParser.java:46)
	 at app//org.springframework.boot.json.AbstractJsonParser.parseList(AbstractJsonParser.java:40)
	 at app//org.springframework.boot.json.BasicJsonParser.lambda$parseList$1(BasicJsonParser.java:47)
	 at app//org.springframework.boot.json.BasicJsonParser$$Lambda$58/0x0000000800c84000.call(Unknown Source)
	 at app//org.springframework.boot.json.AbstractJsonParser.tryParse(AbstractJsonParser.java:53)
	 at app//org.springframework.boot.json.BasicJsonParser.parseList(BasicJsonParser.java:47)
	 at app//BasicJsonParserFuzzer.fuzzerTestOneInput(BasicJsonParserFuzzer.java:11)
	
	Thread[Common-Cleaner,8,InnocuousThreadGroup]
	 at java.base@17.0.3/java.lang.Object.wait(Native Method)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
	 at java.base@17.0.3/jdk.internal.ref.CleanerImpl.run(CleanerImpl.java:140)
	 at java.base@17.0.3/java.lang.Thread.run(Thread.java:833)
	 at java.base@17.0.3/jdk.internal.misc.InnocuousThread.run(InnocuousThread.java:162)
	
	Garbage collector stats:
	
	PS MarkSweep: 6 collections took 473ms
	PS Scavenge: 18 collections took 626ms
	
	SUMMARY: libFuzzer: timeout
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON #31869

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON #31869

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions