Closed famasoon closed 1 year ago
#include <stddef.h> #include <stdint.h> #include <jansson.h> int parseJson(const char *buffer, size_t buflen) { json_error_t error; json_t *root; json_t *obj; const char *str; double dValue; int iValue; root = json_loadb(buffer, buflen, 0, &error); if (root == NULL) { return 0; } obj = json_object_get(root, "dateTime"); if (json_is_string(obj)) { str = json_string_value(obj); } obj = json_object_get(root, "eventType"); if (json_is_string(obj)) { str = json_string_value(obj); } obj = json_object_get(root, "DependOnSequentialEvent"); if (json_is_object(obj)) { json_t *obj2; obj2 = json_object_get(obj, "valPercent"); if (json_is_real(obj2)) { dValue = json_real_value(obj2); } else if (json_is_integer(obj2)) { iValue = json_integer_value(obj2); } obj2 = json_object_get(obj, "alive"); if (json_is_string(obj2)) { str = json_string_value(obj2); } obj2 = json_object_get(obj, "isScript"); } return 0; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 0) { return -1; } parseJson((const char *)data, size); return 0; }
I wrote ParseJson program. But it was crash this null data.
I researched via LibFuzzer, this code maybe oom.
./fuzz input_json -- -dict=json.dict -detect_leaks=0 INFO: libFuzzer ignores flags that start with '--' Dictionary: 57 entries INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3030517605 INFO: Loaded 1 modules (1054 inline 8-bit counters): 1054 [0x557bc07c9820, 0x557bc07c9c3e), INFO: Loaded 1 PC tables (1054 PCs): 1054 [0x557bc07c9c40,0x557bc07cde20), INFO: 742 files found in input_json INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: seed corpus: files: 742 min: 1b max: 3646b total: 151477b rss: 31Mb #743 INITED cov: 90 ft: 120 corp: 3/6b exec/s: 0 rss: 42Mb #1048576 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 349525 rss: 357Mb #2097152 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 349525 rss: 569Mb #4194304 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 322638 rss: 633Mb #8388608 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 322638 rss: 759Mb #16777216 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 316551 rss: 1014Mb ^[ ``````#33554432 pulse cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 307838 rss: 1181Mb ==33608== ERROR: libFuzzer: out-of-memory (used: 2051Mb; limit: 2048Mb) To change the out-of-memory limit use -rss_limit_mb=<N> Live Heap Allocations: 1167797174 bytes in 21991387 chunks; quarantined: 23650313 bytes in 690183 chunks; 3169120 other chunks; total chunks: 25850690; showing top 95% (at most 8 unique contexts) 703690944 byte(s) (60%) in 10995171 allocation(s) #0 0x557bc072aa3e in malloc (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0xe3a3e) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #1 0x557bc076f6a5 in jsonp_malloc /home/user/fuzzing/jasson/jansson/src/memory.c:27:12 #2 0x557bc0775be0 in json_array /home/user/fuzzing/jasson/jansson/src/value.c:440:20 #3 0x557bc076efdb in parse_array /home/user/fuzzing/jasson/jansson/src/load.c:740:21 #4 0x557bc076a1f4 in parse_value /home/user/fuzzing/jasson/jansson/src/load.c:831:20 #5 0x557bc07671a9 in parse_json /home/user/fuzzing/jasson/jansson/src/load.c:863:14 #6 0x557bc07677fc in json_loadb /home/user/fuzzing/jasson/jansson/src/load.c:962:14 #7 0x557bc0765936 in parseJson(char const*, unsigned long) /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:19:10 #8 0x557bc0765fbe in LLVMFuzzerTestOneInput /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:70:3 #9 0x557bc068e3c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x473c3) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #10 0x557bc068db19 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x46b19) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #11 0x557bc068f309 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48309) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #12 0x557bc068fe85 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48e85) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #13 0x557bc067dfc2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x36fc2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #14 0x557bc06a7cb2 in main (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x60cb2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #15 0x7ffa05429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 439806840 byte(s) (37%) in 10995171 allocation(s) #0 0x557bc072aa3e in malloc (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0xe3a3e) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #1 0x557bc076f6a5 in jsonp_malloc /home/user/fuzzing/jasson/jansson/src/memory.c:27:12 #2 0x557bc0775b09 in json_array /home/user/fuzzing/jasson/jansson/src/value.c:432:27 #3 0x557bc076efdb in parse_array /home/user/fuzzing/jasson/jansson/src/load.c:740:21 #4 0x557bc076a1f4 in parse_value /home/user/fuzzing/jasson/jansson/src/load.c:831:20 #5 0x557bc07671a9 in parse_json /home/user/fuzzing/jasson/jansson/src/load.c:863:14 #6 0x557bc07677fc in json_loadb /home/user/fuzzing/jasson/jansson/src/load.c:962:14 #7 0x557bc0765936 in parseJson(char const*, unsigned long) /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:19:10 #8 0x557bc0765fbe in LLVMFuzzerTestOneInput /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:70:3 #9 0x557bc068e3c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x473c3) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #10 0x557bc068db19 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x46b19) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #11 0x557bc068f309 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48309) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #12 0x557bc068fe85 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48e85) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #13 0x557bc067dfc2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x36fc2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #14 0x557bc06a7cb2 in main (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x60cb2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b) #15 0x7ffa05429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 MS: 5 ChangeByte-CrossOver-ShuffleBytes-EraseBytes-ShuffleBytes-; base unit: dd79c8cfb8beeacd0460429944b4ecbe95a31561 artifact_prefix='./'; Test unit written to ./oom-da39a3ee5e6b4b0d3255bfef95601890afd80709 Base64: SUMMARY: libFuzzer: out-of-memory
Fuzzing code.
#include <stddef.h> #include <stdint.h> #include "jansson.h" int parseJson(const char *buffer, size_t buflen) { json_error_t error; json_t *root; json_t *obj; const char *str; double dValue; int iValue; root = json_loadb(buffer, buflen, 0, &error); if (root == NULL) { return 0; } obj = json_object_get(root, "dateTime"); if (json_is_string(obj)) { str = json_string_value(obj); } obj = json_object_get(root, "eventType"); if (json_is_string(obj)) { str = json_string_value(obj); } obj = json_object_get(root, "DependOnSequentialEvent"); if (json_is_object(obj)) { json_t *obj2; obj2 = json_object_get(obj, "valPercent"); if (json_is_real(obj2)) { dValue = json_real_value(obj2); } else if (json_is_integer(obj2)) { iValue = json_integer_value(obj2); } obj2 = json_object_get(obj, "alive"); if (json_is_string(obj2)) { str = json_string_value(obj2); } obj2 = json_object_get(obj, "isScript"); } return 0; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 0) { return -1; } parseJson((const char *)data", size); return 0; }
This data is NULL
cat oom-da39a3ee5e6b4b0d3255bfef95601890afd80709
I will triage RCA.
Sorry, this was not reproduce... I close this issue
I wrote ParseJson program. But it was crash this null data.
I researched via LibFuzzer, this code maybe oom.
Fuzzing code.