Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow (OSS-Fuzz 1400) #575

Closed
nlohmann opened this issue May 7, 2017 · 3 comments
Closed

Heap-buffer-overflow (OSS-Fuzz 1400) #575

nlohmann opened this issue May 7, 2017 · 3 comments
Assignees
@nlohmann
Labels
confirmed kind: bug solution: proposed fix a fix for the issue has been proposed and waits for confirmation
Milestone
Release 3.0.0

Comments

@nlohmann
Copy link
Owner

nlohmann commented May 7, 2017 

Detailed report: https://oss-fuzz.com/testcase?key=4618963768049664

Project: json
Fuzzer: afl_json_parse_afl_fuzzer
Fuzz target binary: parse_afl_fuzzer
Job Type: afl_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x6020000000b2
Crash State:
std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<ch
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha

Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://oss-fuzz.com/revisions?job=afl_asan_json&range=201705051619:201705061619

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4618963768049664


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

inputs.zip
@nlohmann
Copy link
Owner Author

nlohmann commented May 7, 2017

I can confirm the issue.

Running

#include "json.hpp"

using json = nlohmann::json;

int main()
{
    std::vector<uint8_t> vec = {'"', '\\', '"', 'X', '"', '"'};
    json::parse(vec);
}

yields

=================================================================
==37294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000cb96 at pc 0x00010014aef6 bp 0x7fff5fbfd260 sp 0x7fff5fbfca08
READ of size 2 at 0x60200000cb96 thread T0
    #0 0x10014aef5 in wrap_memmove (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4def5)
    #1 0x7fff8cf9740f in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__init(char const*, unsigned long) (libc++.1.dylib:x86_64+0x3d40f)
    #2 0x1000081ee in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::input_buffer_adapter::read(unsigned long, unsigned long) string:2044
    #3 0x100028f68 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::get_token_string() const json.hpp:12354
    #4 0x10000e71b in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::expect(nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::token_type) const json.hpp:12909
    #5 0x100006a3c in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse(bool) json.hpp:12520
    #6 0x100004d95 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<std::__1::__wrap_iter<unsigned char const*>, 0>(std::__1::__wrap_iter<unsigned char const*>, std::__1::__wrap_iter<unsigned char const*>, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) json.hpp:7538
    #7 0x100002384 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >, 0>(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) json.hpp:7595
    #8 0x100001a8d in main main.cpp:8
    #9 0x7fff8e3c8234 in start (libdyld.dylib:x86_64+0x5234)

0x60200000cb96 is located 0 bytes to the right of 6-byte region [0x60200000cb90,0x60200000cb96)
allocated by thread T0 here:
    #0 0x10015d76b in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6076b)
    #1 0x100003db8 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::allocate(unsigned long) new:169
    #2 0x1000017ef in main vector:1284
    #3 0x7fff8e3c8234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4def5) in wrap_memmove
Shadow bytes around the buggy address:
  0x1c0400001920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400001970: fa fa[06]fa fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c0400001980: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
  0x1c0400001990: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 00
  0x1c04000019a0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c04000019b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c04000019c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
2017-05-07 10:09:02.649833+0200 debug_lexer[37294:8852347] =================================================================
2017-05-07 10:09:02.650757+0200 debug_lexer[37294:8852347] ==37294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000cb96 at pc 0x00010014aef6 bp 0x7fff5fbfd260 sp 0x7fff5fbfca08
2017-05-07 10:09:02.650795+0200 debug_lexer[37294:8852347] READ of size 2 at 0x60200000cb96 thread T0
2017-05-07 10:09:02.650810+0200 debug_lexer[37294:8852347]     #0 0x10014aef5 in wrap_memmove (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4def5)
2017-05-07 10:09:02.650832+0200 debug_lexer[37294:8852347]     #1 0x7fff8cf9740f in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__init(char const*, unsigned long) (libc++.1.dylib:x86_64+0x3d40f)
2017-05-07 10:09:02.650854+0200 debug_lexer[37294:8852347]     #2 0x1000081ee in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::input_buffer_adapter::read(unsigned long, unsigned long) string:2044
2017-05-07 10:09:02.651150+0200 debug_lexer[37294:8852347]     #3 0x100028f68 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::get_token_string() const json.hpp:12354
2017-05-07 10:09:02.651175+0200 debug_lexer[37294:8852347]     #4 0x10000e71b in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::expect(nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::token_type) const json.hpp:12909
2017-05-07 10:09:02.651191+0200 debug_lexer[37294:8852347]     #5 0x100006a3c in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse(bool) json.hpp:12520
2017-05-07 10:09:02.651416+0200 debug_lexer[37294:8852347]     #6 0x100004d95 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<std::__1::__wrap_iter<unsigned char const*>, 0>(std::__1::__wrap_iter<unsigned char const*>, std::__1::__wrap_iter<unsigned char const*>, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) json.hpp:7538
2017-05-07 10:09:02.652477+0200 debug_lexer[37294:8852347]     #7 0x100002384 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >, 0>(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long long, unsigned long long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) json.hpp:7595
2017-05-07 10:09:02.652700+0200 debug_lexer[37294:8852347]     #8 0x100001a8d in main main.cpp:8
2017-05-07 10:09:02.652722+0200 debug_lexer[37294:8852347]     #9 0x7fff8e3c8234 in start (libdyld.dylib:x86_64+0x5234)
2017-05-07 10:09:02.652736+0200 debug_lexer[37294:8852347] 
2017-05-07 10:09:02.652747+0200 debug_lexer[37294:8852347] 0x60200000cb96 is located 0 bytes to the right of 6-byte region [0x60200000cb90,0x60200000cb96)
2017-05-07 10:09:02.652760+0200 debug_lexer[37294:8852347] allocated by thread T0 here:
2017-05-07 10:09:02.652772+0200 debug_lexer[37294:8852347]     #0 0x10015d76b in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6076b)
2017-05-07 10:09:02.652784+0200 debug_lexer[37294:8852347]     #1 0x100003db8 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::allocate(unsigned long) new:169
2017-05-07 10:09:02.652850+0200 debug_lexer[37294:8852347]     #2 0x1000017ef in main vector:1284
2017-05-07 10:09:02.652873+0200 debug_lexer[37294:8852347]     #3 0x7fff8e3c8234 in start (libdyld.dylib:x86_64+0x5234)
2017-05-07 10:09:02.652887+0200 debug_lexer[37294:8852347] 
2017-05-07 10:09:02.652899+0200 debug_lexer[37294:8852347] SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4def5) in wrap_memmove
2017-05-07 10:09:02.652913+0200 debug_lexer[37294:8852347] Shadow bytes around the buggy address:
2017-05-07 10:09:02.652926+0200 debug_lexer[37294:8852347]   0x1c0400001920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-05-07 10:09:02.652947+0200 debug_lexer[37294:8852347]   0x1c0400001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-05-07 10:09:02.652970+0200 debug_lexer[37294:8852347]   0x1c0400001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-05-07 10:09:02.652983+0200 debug_lexer[37294:8852347]   0x1c0400001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-05-07 10:09:02.653041+0200 debug_lexer[37294:8852347]   0x1c0400001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-05-07 10:09:02.653056+0200 debug_lexer[37294:8852347] =>0x1c0400001970: fa fa[06]fa fa fa 00 00 fa fa fd fd fa fa fd fd
2017-05-07 10:09:02.653069+0200 debug_lexer[37294:8852347]   0x1c0400001980: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
2017-05-07 10:09:02.653082+0200 debug_lexer[37294:8852347]   0x1c0400001990: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 00
2017-05-07 10:09:02.653095+0200 debug_lexer[37294:8852347]   0x1c04000019a0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
2017-05-07 10:09:02.653107+0200 debug_lexer[37294:8852347]   0x1c04000019b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
2017-05-07 10:09:02.653120+0200 debug_lexer[37294:8852347]   0x1c04000019c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
2017-05-07 10:09:02.653132+0200 debug_lexer[37294:8852347] Shadow byte legend (one shadow byte represents 8 application bytes):
2017-05-07 10:09:02.653277+0200 debug_lexer[37294:8852347]   Addressable:           00
2017-05-07 10:09:02.653296+0200 debug_lexer[37294:8852347]   Partially addressable: 01 02 03 04 05 06 07
2017-05-07 10:09:02.653309+0200 debug_lexer[37294:8852347]   Heap left redzone:       fa
2017-05-07 10:09:02.653321+0200 debug_lexer[37294:8852347]   Freed heap region:       fd
2017-05-07 10:09:02.653331+0200 debug_lexer[37294:8852347]   Stack left redzone:      f1
2017-05-07 10:09:02.653342+0200 debug_lexer[37294:8852347]   Stack mid redzone:       f2
2017-05-07 10:09:02.653352+0200 debug_lexer[37294:8852347]   Stack right redzone:     f3
2017-05-07 10:09:02.653362+0200 debug_lexer[37294:8852347]   Stack after return:      f5
2017-05-07 10:09:02.653373+0200 debug_lexer[37294:8852347]   Stack use after scope:   f8
2017-05-07 10:09:02.653384+0200 debug_lexer[37294:8852347]   Global redzone:          f9
2017-05-07 10:09:02.653395+0200 debug_lexer[37294:8852347]   Global init order:       f6
2017-05-07 10:09:02.653459+0200 debug_lexer[37294:8852347]   Poisoned by user:        f7
2017-05-07 10:09:02.653474+0200 debug_lexer[37294:8852347]   Container overflow:      fc
2017-05-07 10:09:02.653486+0200 debug_lexer[37294:8852347]   Array cookie:            ac
2017-05-07 10:09:02.653496+0200 debug_lexer[37294:8852347]   Intra object redzone:    bb
2017-05-07 10:09:02.653507+0200 debug_lexer[37294:8852347]   ASan internal:           fe
2017-05-07 10:09:02.653517+0200 debug_lexer[37294:8852347]   Left alloca redzone:     ca
2017-05-07 10:09:02.653528+0200 debug_lexer[37294:8852347]   Right alloca redzone:    cb
2017-05-07 10:09:02.653539+0200 debug_lexer[37294:8852347] 
==37294==ABORTING

nlohmann added a commit that referenced this issue May 7, 2017
@nlohmann
🐛 fixing #575
fba1bcd 
I forgot to consider the offset.
@nlohmann nlohmann added the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label May 7, 2017
@nlohmann nlohmann self-assigned this May 7, 2017
@nlohmann nlohmann added this to the Release 3.0.0 milestone May 7, 2017
@nlohmann
Copy link
Owner Author

nlohmann commented May 8, 2017

ClusterFuzz has detected this issue as fixed in range 201705061619:201705071618.

@nlohmann
Copy link
Owner Author

nlohmann commented May 8, 2017

Verified as closed.

@nlohmann nlohmann closed this as completed May 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlohmann nlohmann

Labels
confirmed kind: bug solution: proposed fix a fix for the issue has been proposed and waits for confirmation
Projects
None yet
Milestone
Release 3.0.0
Development

No branches or pull requests
1 participant
@nlohmann