From: Nicolas Owens <mischief@offblast.org>
To: 9front@9front.org
Subject: out of bounds memory access in libjson parser
Date: Tue, 26 Apr 2016 18:24:49 -0700 [thread overview]
Message-ID: <572014E1.9000007@offblast.org> (raw)
using klee (https://klee.github.io) i found an out of bounds memory
access in libjson. a simple case to reproduce is below.
correct behavior would be for jsonparse to return nil when the input
isn't valid utf8, and for the assert to trigger.
the problem is at /sys/src/libjson/json.c:105, where input is not
validated before calling runetochar(2), and runetochar overwrites the
memory at the input pointer at /sys/src/libc/port/rune.c:141.
#include <u.h>
#include <libc.h>
#include <pool.h>
#include <json.h>
char *test = "{\x80\xc0 \x00 }\x00";
void
main(int argc, char *argv[])
{
ARGBEGIN{
}ARGEND
mainmem->flags |= POOL_PARANOIA;
JSON *p = jsonparse(test);
assert(p);
jsonfree(p);
exits(nil);
}
cpu% 6c -FTVw json_oob.c
cpu% 6l -o json_oob json_oob.6
cpu% ./json_oob
mem user overflow
pool sbrkmem block 401b38
hdr 0a110c09 00000040 002081a8 00000000 efbdbfef faf0bdbf
tail cafebabe ffffffff 00000000 00000000 00000000 00000000 | ef3300be
00000040
user data 00 00 00 ef bf bd ef bf | bd f0 fa fe ba fe ca ff
panic: pool panic
json_oob 2447: suicide: sys: trap: fault read addr=0x0 pc=0x202582
reply other threads:[~2016-04-27 1:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=572014E1.9000007@offblast.org \
--to=mischief@offblast.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).