msgpack-tools icon indicating copy to clipboard operation
msgpack-tools copied to clipboard

Published 20 hours ago verified publisher icon ludocode

BUG report

Open Sunzyuu opened this issue 9 months ago • 0 comments

I was recently using fuzz to conduct security testing on msgpack-tools, and found a bug in json2msgpack . The specific information is as follows:

./json2msgpack -bli json2msgpack_poc -o /dev/null

AddressSanitizer:DEADLYSIGNAL
=================================================================
==73000==ERROR: AddressSanitizer: SEGV on unknown address 0x0000a00a51cc (pc 0x000000539d1a bp 0x7fffffffcf30 sp 0x7fffffffce20 T0)
==73000==The signal is caused by a READ memory access.
    #0 0x539d1a in rapidjson::internal::GetCachedPowerByIndex(unsigned long) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../internal/diyfp.h:223:18
    #1 0x539d1a in rapidjson::internal::GetCachedPower10(int, int*) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../internal/diyfp.h:243:13
    #2 0x539d1a in rapidjson::internal::StrtodDiyFp(char const*, unsigned long, unsigned long, int, double*) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../internal/strtod.h:154:25
    #3 0x537fca in rapidjson::internal::StrtodFullPrecision(double, int, char const*, unsigned long, unsigned long, int) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../internal/strtod.h:259:9
    #4 0x530652 in void rapidjson::GenericReader<rapidjson::UTF8<char>, rapidjson::UTF8<char>, rapidjson::CrtAllocator>::ParseNumber<184u, rapidjson::GenericStringStream<rapidjson::UTF8<char> >, rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator> >(rapidjson::GenericStringStream<rapidjson::UTF8<char> >&, rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>&) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../reader.h:1362:24
    #5 0x525d27 in rapidjson::ParseResult rapidjson::GenericReader<rapidjson::UTF8<char>, rapidjson::UTF8<char>, rapidjson::CrtAllocator>::Parse<184u, rapidjson::GenericStringStream<rapidjson::UTF8<char> >, rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator> >(rapidjson::GenericStringStream<rapidjson::UTF8<char> >&, rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>&) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../reader.h:501:13
    #6 0x525561 in rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>& rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>::ParseStream<184u, rapidjson::UTF8<char>, rapidjson::GenericStringStream<rapidjson::UTF8<char> > >(rapidjson::GenericStringStream<rapidjson::UTF8<char> >&) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/document.h:2159:40
    #7 0x51fe49 in rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>& rapidjson::GenericDocument<rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator>, rapidjson::CrtAllocator>::ParseStream<184u, rapidjson::GenericStringStream<rapidjson::UTF8<char> > >(rapidjson::GenericStringStream<rapidjson::UTF8<char> >&) /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/document.h:2175:16
    #8 0x51fe49 in convert(options_t*) /work/autofz/github/msgpack-tools/src/json2msgpack.cpp:302:22
    #9 0x51fe49 in main /work/autofz/github/msgpack-tools/src/json2msgpack.cpp:419:12
    #10 0x7ffff6b6383f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41cb78 in _start (/work/autofz/github/msgpack-tools/json2msgpack+0x41cb78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /work/autofz/github/msgpack-tools/contrib/rapidjson/include/rapidjson/error/../internal/diyfp.h:223:18 in rapidjson::internal::GetCachedPowerByIndex(unsigned long)
==73000==ABORTING

The poc that triggers the error is as follows:https://github.com/Sunzyuu/seed/blob/main/json2msgpack_poc I hope my report will be of some help to msgpack-tools, thank you!

Sunzyuu avatar May 15 '24 08:05 Sunzyuu