-
-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack overflow (50083) found by OSS-Fuzz #387
Comments
so basically FasterXML/jackson-databind#3397 but for toml? fun... |
Right. I have been thinking of adding low-level maximum nesting limits via Short-term thing here would be just to keep nesting counter and impose some upper limit (possibly configurable via |
@yawkat Yes and no: that one is for databind, this is in format parser. Most incremental streaming parsers do not use recursion so JSON etc do not have a problem at this level but deserializers and serializers do use recursion (except where optimized away as with But as per my above comment it may be relatively straight-forward to catch in this case (although you know the code better than I do so I could be wrong). |
This replaces the StackOverflowError with a StreamReadException with a proper message. Fixes #387
Also can be fixed by #398 |
fixed by #398 |
Dear jackson-dataformats-text developers, There was StackoverflowError[1] fixed in jackson-dataformats-text with [2]. A release was already published containing the fix. Do you consider to publish a security advisory? If you need assistance, we can request a CVE and keep you updated. [1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083 |
@henryrneh Yes, I think you can go ahead file for a CVE given the situation like you explained. |
please note this only affects the toml module |
Thanks @cowtowncoder @yawkat! |
@yawkat Yes, very important point. |
Dear jackson-dataformats-text developers,
Fuzzing has found a stack overflow in OSS-Fuzz with JVM Fuzzer Jazzer in jackson-dataformats-text. We have reviewed the finding and consider it security-related due to the potential of a denial of service.
Part of the crash stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
at com.fasterxml.jackson.dataformat.toml.Parser.parseKeyVal(Parser.java:463)
at com.fasterxml.jackson.dataformat.toml.Parser.parseInlineTable(Parser.java:416)
at com.fasterxml.jackson.dataformat.toml.Parser.parseValue(Parser.java:229)
Caused by: java.lang.StackOverflowError
at com.fasterxml.jackson.dataformat.toml.Lexer.yylex(Lexer.java:755)
at com.fasterxml.jackson.dataformat.toml.Parser.poll(Parser.java:101)
at com.fasterxml.jackson.dataformat.toml.Parser.pollExpected(Parser.java:106)
at com.fasterxml.jackson.dataformat.toml.Parser.parseAndEnterKey(Parser.java:173)
at com.fasterxml.jackson.dataformat.toml.Parser.parseKeyVal(Parser.java:461)
at com.fasterxml.jackson.dataformat.toml.Parser.parseInlineTable(Parser.java:416)
at com.fasterxml.jackson.dataformat.toml.Parser.parseValue(Parser.java:229)
at com.fasterxml.jackson.dataformat.toml.Parser.parseKeyVal(Parser.java:463)
at com.fasterxml.jackson.dataformat.toml.Parser.parseInlineTable(Parser.java:416)
at com.fasterxml.jackson.dataformat.toml.Parser.parseValue(Parser.java:229)
at com.fasterxml.jackson.dataformat.toml.Parser.parseKeyVal(Parser.java:463)
at com.fasterxml.jackson.dataformat.toml.Parser.parseInlineTable(Parser.java:416)
at com.fasterxml.jackson.dataformat.toml.Parser.parseValue(Parser.java:229)
...
We have included a Reproducer zip which contains a README file that describes how to reproduce the issue.
Reproducer zip: 50083-jackson-dataformats-text-TOMLFuzzer.zip
We would appreciate if you could take a look into the findings!
OSS-Fuzz Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083
Hint: The provided OSS-Fuzz Issue links are only accessible if the issue gets fixed or if you are the maintainer of the OSS-Fuzz project.
Fuzz target: https://github.com/google/oss-fuzz/blob/master/projects/jackson-dataformats-text/TOMLFuzzer.java
The text was updated successfully, but these errors were encountered: