You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As we all know, each function call in the process space will establish and maintain the stack frame of this function call on the stack space of the current thread, but the problem is that the stack space of the process is limited. If a program keeps If the recursive function is called, the stack space of the process will be consumed quickly. If the call is deep, the stack space will be exhausted, and it will evolve into a stack overflow formed by infinite recursive function calls, causing the program to crash. In the json_get_value_size function , there is an appeal vulnerability.
Specifically, in the json_get_value_size function, we can find a recursively nested branch, and this branch can be easily triggered. The figure below describes this recursive call chain, and we can continuously nest object and array objects in the json text to repeatedly call among the three, forming infinite recursion until the stack space is exhausted.
In short,json_get_value_size ->json_get_array_size ->json_get_value_size can be continuously formed... When such a recursive call is deep enough, the stack space will be exhausted, and we only need continuous nested arrays in the json file, which is The exploitation of the attack is very simple.
This is the report given by SanitizerAddress when I trigger this vulnerability with the following code. You can use the crash file I provided to report and reproduce this vulnerability.
plz use gcc main.c -o main -fsanitize=address to compile.
cxing@DESKTOP:~/fuzz/fuzz-json/json.h$ ./main_fsanitize crash_1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2083807==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd1eae5f98 (pc 0x55a0ffa632b0 bp 0x7ffd1eae6060 sp 0x7ffd1eae5f90 T0)
#0 0x55a0ffa632b0 in json_get_string_size /home/cxing/fuzz/fuzz-json/json.h/json.h:677#1 0x55a0ffa644eb in json_get_key_size /home/cxing/fuzz/fuzz-json/json.h/json.h:906#2 0x55a0ffa64a3e in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:996#3 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#4 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#5 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#6 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#7 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#8 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#9 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#10 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#11 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#12 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#13 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#14 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#15 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#16 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#17 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#18 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#19 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#20 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#21 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#22 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#23 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#24 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#25 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#26 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#27 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#28 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#29 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#30 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#31 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#32 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#33 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#34 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#35 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#36 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#37 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#38 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#39 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#40 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#41 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#42 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#43 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#44 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#45 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#46 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#47 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#48 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#49 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#50 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#51 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#52 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#53 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#54 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#55 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#56 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#57 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#58 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#59 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#60 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#61 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#62 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#63 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#64 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#65 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#66 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#67 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#68 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#69 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#70 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#71 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#72 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#73 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#74 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#75 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#76 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#77 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#78 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#79 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#80 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#81 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#82 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#83 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#84 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#85 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#86 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#87 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#88 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#89 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#90 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#91 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#92 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#93 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#94 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#95 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#96 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#97 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#98 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#99 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#100 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#101 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#102 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#103 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#104 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#105 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#106 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#107 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#108 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#109 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#110 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#111 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#112 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#113 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#114 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#115 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#116 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#117 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#118 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#119 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#120 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#121 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#122 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#123 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#124 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#125 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#126 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#127 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#128 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#129 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#130 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#131 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#132 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#133 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#134 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#135 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#136 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#137 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#138 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#139 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#140 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#141 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#142 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#143 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#144 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#145 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#146 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#147 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#148 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#149 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#150 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#151 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#152 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#153 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#154 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#155 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#156 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#157 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#158 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#159 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#160 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#161 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#162 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#163 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#164 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#165 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#166 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#167 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#168 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#169 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#170 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#171 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#172 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#173 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#174 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#175 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#176 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#177 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#178 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#179 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#180 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#181 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#182 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#183 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#184 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#185 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#186 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#187 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#188 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#189 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#190 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#191 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#192 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#193 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#194 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#195 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#196 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#197 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#198 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#199 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#200 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#201 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#202 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#203 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#204 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#205 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#206 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#207 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#208 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#209 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#210 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#211 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#212 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#213 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#214 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#215 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#216 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#217 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#218 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#219 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#220 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#221 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#222 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#223 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#224 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#225 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#226 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#227 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#228 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#229 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#230 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#231 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#232 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#233 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#234 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#235 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#236 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#237 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#238 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#239 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#240 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#241 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#242 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#243 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#244 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105#245 0x55a0ffa66d2c in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1383#246 0x55a0ffa64cd6 in json_get_object_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1028#247 0x55a0ffa66d1b in json_get_value_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1381#248 0x55a0ffa6522c in json_get_array_size /home/cxing/fuzz/fuzz-json/json.h/json.h:1105
SUMMARY: AddressSanitizer: stack-overflow /home/cxing/fuzz/fuzz-json/json.h/json.h:677 in json_get_string_size
==2083807==ABORTING
Urgent fix suggestion
A simple and effective way to deal with infinite recursion is to record the depth of function recursion in recursively nested functions, and terminate the parsing when the depth reaches a dangerous threshold.
Environment
Ubuntu22.04 LST Linux 5.15.90.1-microsoft-standard-WSL2 #1 SMP Fri Jan 27 02:56:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
json.h commit: 06aa578
Vulnerability
As we all know, each function call in the process space will establish and maintain the stack frame of this function call on the stack space of the current thread, but the problem is that the stack space of the process is limited. If a program keeps If the recursive function is called, the stack space of the process will be consumed quickly. If the call is deep, the stack space will be exhausted, and it will evolve into a stack overflow formed by infinite recursive function calls, causing the program to crash. In the
json_get_value_size
function , there is an appeal vulnerability.Specifically, in the
json_get_value_size
function, we can find a recursively nested branch, and this branch can be easily triggered. The figure below describes this recursive call chain, and we can continuously nest object and array objects in the json text to repeatedly call among the three, forming infinite recursion until the stack space is exhausted.In short,
json_get_value_size
->json_get_array_size
->json_get_value_size
can be continuously formed... When such a recursive call is deep enough, the stack space will be exhausted, and we only need continuous nested arrays in the json file, which is The exploitation of the attack is very simple.This is the report given by SanitizerAddress when I trigger this vulnerability with the following code. You can use the crash file I provided to report and reproduce this vulnerability.
plz use
gcc main.c -o main -fsanitize=address
to compile.Urgent fix suggestion
A simple and effective way to deal with infinite recursion is to record the depth of function recursion in recursively nested functions, and terminate the parsing when the depth reaches a dangerous threshold.
crash_1.zip
The text was updated successfully, but these errors were encountered: