* out of bounds memory access in libjson parser
@ 2016-04-27 1:24 Nicolas Owens
0 siblings, 0 replies; only message in thread
From: Nicolas Owens @ 2016-04-27 1:24 UTC (permalink / raw)
To: 9front
using klee (https://klee.github.io) i found an out of bounds memory
access in libjson. a simple case to reproduce is below.
correct behavior would be for jsonparse to return nil when the input
isn't valid utf8, and for the assert to trigger.
the problem is at /sys/src/libjson/json.c:105, where input is not
validated before calling runetochar(2), and runetochar overwrites the
memory at the input pointer at /sys/src/libc/port/rune.c:141.
#include <u.h>
#include <libc.h>
#include <pool.h>
#include <json.h>
char *test = "{\x80\xc0 \x00 }\x00";
void
main(int argc, char *argv[])
{
ARGBEGIN{
}ARGEND
mainmem->flags |= POOL_PARANOIA;
JSON *p = jsonparse(test);
assert(p);
jsonfree(p);
exits(nil);
}
cpu% 6c -FTVw json_oob.c
cpu% 6l -o json_oob json_oob.6
cpu% ./json_oob
mem user overflow
pool sbrkmem block 401b38
hdr 0a110c09 00000040 002081a8 00000000 efbdbfef faf0bdbf
tail cafebabe ffffffff 00000000 00000000 00000000 00000000 | ef3300be
00000040
user data 00 00 00 ef bf bd ef bf | bd f0 fa fe ba fe ca ff
panic: pool panic
json_oob 2447: suicide: sys: trap: fault read addr=0x0 pc=0x202582
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-04-27 1:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-27 1:24 out of bounds memory access in libjson parser Nicolas Owens
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).