9front - general discussion about 9front
 help / color / mirror / Atom feed
From: Nicolas Owens <mischief@offblast.org>
To: 9front@9front.org
Subject: out of bounds memory access in libjson parser
Date: Tue, 26 Apr 2016 18:24:49 -0700	[thread overview]
Message-ID: <572014E1.9000007@offblast.org> (raw)

using klee (https://klee.github.io) i found an out of bounds memory
access in libjson. a simple case to reproduce is below.

correct behavior would be for jsonparse to return nil when the input
isn't valid utf8, and for the assert to trigger.

the problem is at /sys/src/libjson/json.c:105, where input is not
validated before calling runetochar(2), and runetochar overwrites the
memory at the input pointer at /sys/src/libc/port/rune.c:141.

#include <u.h>
#include <libc.h>
#include <pool.h>
#include <json.h>

char *test = "{\x80\xc0 \x00 }\x00";

void
main(int argc, char *argv[])
{
	ARGBEGIN{
	}ARGEND

	mainmem->flags |= POOL_PARANOIA;
	JSON *p = jsonparse(test);
	assert(p);
	jsonfree(p);
	exits(nil);
}

cpu% 6c -FTVw json_oob.c
cpu% 6l -o json_oob json_oob.6
cpu% ./json_oob
mem user overflow
pool sbrkmem block 401b38
hdr 0a110c09 00000040 002081a8 00000000 efbdbfef faf0bdbf
tail cafebabe ffffffff 00000000 00000000 00000000 00000000 | ef3300be
00000040
user data 00 00 00 ef  bf bd ef bf | bd f0 fa fe  ba fe ca ff
panic: pool panic
json_oob 2447: suicide: sys: trap: fault read addr=0x0 pc=0x202582


                 reply	other threads:[~2016-04-27  1:24 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=572014E1.9000007@offblast.org \
    --to=mischief@offblast.org \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).